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Abstract 



This thesis contains a collection of algorithms for working with the twisted 
groups of Lie type known as Suzuki groups, and small and large Ree groups. 

The two main problems under consideration are constructive recognition and 
constructive membership testing. We also consider problems of generating and con- 
jugating Sylow and maximal subgroups. 

The algorithms are motivated by, and form a part of, the Matrix Group Recog- 
nition Project. Obtaining both theoretically and practically efficient algorithms has 
been a central goal. The algorithms have been developed with, and implemented 
in, the computer algebra system Magma. 
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Notation 



F Algebraic closure of the field F 
conjugate of g by h, i.e. g^ = h~^gh 
[g, h] commutator of g and h, i.e. [g, /i] = g~^h~^gh 
Ty:{g) trace of the matrix g 

C„ cyclic group of order n, i.e. C„ = Z/nZ 
¥q finite field of size q (or its additive group) 
multiplicative group of Fg 
^{d) The number of field operations required by a random element oracle for 
GL{d,q). 

^ The number of field operations required by a random element oracle for 
GL{k,q) with k constant 
Xd {q) number of field operations required by a discrete logarithm oracle in F^ 
XF{d,q) number of field operations required by an integer factorisation oracle 

(which factorises — 1, for 1 ^ i ^ rf) 
Mat„ (R) matrix algebra of n x n matrices over ring R 
In identity n x n matrix 
Eij matrix with 1 in position {i,j) and elsewhere 
\g\ order of a group element g 
4> Euler totient function 
CTo(n) number of positive divisors of n e N (where ao{n) < 2(1+^) i°go(")/ iogiogc(")) 
Tp Frobenius automorphism in a field F {i.e. tp : x 1-^ where cliar(_F) = p) 
$(G) Frattini subgroup of G (intersection of all maximal subgroups of G) 
Op{G) largest normal p-subgroup of G 
Gp stabiliser in G of the point P 
G' derived subgroup (commutator subgroup) of G 
Na{H) normaliser of in G 
Cg (g) centraliser of in G 
Z(G) centre of G 

End ij(M) algebra of il-endomorphisms of G- module M, where H ^ G 
Aut(M) automorphism group of G-module M (if G < GL{d, q) = H then Aut(M) = 

Cff(G)) 

<S^ (M) symmetric square of module M over a field F (where M ® M = S"^ (M) © 
a2(M) if char(i^) > 2) 
(M) exterior square of module M 
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Sym(O) symmetric group on the sot O 
Sym(n) symmetric group on n points 
D„ dihedral group of order n 
W{y) projective space corresponding to vector space V 
P"(F) n-dimensional projective space over the field F 
[G : H] index of in G 

G.H extension of G by (a group E such that G ^ E and E/G = H) 

G:H split extension of G by ff (as with G.H but E also has a subgroup Hq = H 



o(.) 



such that E = GHq and G D Hq = (1)) 
standard time complexity notation 
Automorphisms defining Sz{q) or Ree(g) 
group homomorphisms 



CHAPTER 1 



Introduction and preliminaries 

1.1. Introduction 

This thesis contains algorithms for some computational problems involving a 
few classes of the finite simple groups. The main focus is on providing efficient 
algorithms for constructive recognition and constructive membership testing, but 
we also consider the conjugacy problem for Sylow and maximal subgroups. 

The work is in the area of computational group theory (abbreviated CGT), 
where one studies algorithmic aspects of groups, or solves group theoretic problems 
using computers. A group can be represented as a data structure in several ways, 
and perhaps the most important ones are permutation groups, matrix groups and 
finitely presented groups. 

The permutation group setting has been studied since the early 1970's, and 
the basic technique which underlies most algorithms is the construction of a base 
and a strong generating set. If G is a permutation group of degree n, this involves 
constructing a descending chain of subgroups of G, where each subgroup in the 
chain has index at most n in its predecessor. The permutation group algorithm 
machinery is summarised in [Ser03| . 

For matrix groups, the classical method is also to construct a base and strong 
generating set. However, in general a matrix group has no faithful permutation 
representation whose degree is polynomial in the size of the input. Hence the indices 
in the subgroup chain will be too large and the permutation group algorithms will 
not be efficient. For example, Sh{d,q) has no proper subgroup of index less than 
{q'^ — l)/(g — 1), and q is exponential in the size of the input, since a matrix has 
size 0(rf^ log((7)) . 

Historically there were two schools within CGT. One consists of people with a 
more computational complexity background, whose primary goal was to find the- 
oretically good (polynomial time) algorithms. The implementation and practical 
performance of the algorithms were less important, since the computational com- 
plexity view, based on many real examples, is that if the "polynomial barrier" is 
broken, then further research will surely lead also to good practical algorithms. The 
other school consists of people with a more group theoretic background, whose pri- 
mary goal was to solve computational problems in group theory (historically often 
one-time problems with the sporadic groups) , and hence to develop algorithms that 
can be easily implemented and that run fast on the current hardware and on the 
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specific input in question. The asymptotic complexity of the algorithms was less 
important, and perhaps did not even make sense in the case of sporadic groups. 

The distinction between these schools has become less noticeable during the 
last 15 years, but during that time there has also been much work on algorithms 
for matrix groups, and there are two main approaches that roughly correspond to 
these two schools. The first approach is the "black box" approach, that considers 
the matrix groups as black box groups (see |Ser03t pp. 17]). This was initiated 
by |Luk92| (but goes back to |BS84| ) and much of it is summarised in [BB99j . 
The other approach is the "geometric" approach, also known as The Matrix Group 
Recognition Project (abbreviated MGRP), whose underlying idea is to use a famous 
theorem of Aschbacher | Asc84j which roughly says that a matrix group either pre- 
serves some geometric structure, or is a simple group. 

Although the author has a background perhaps more in the computational 
complexity school, the work in this thesis forms a part of MGRP. The first specific 
goal in that approach is to obtain an efficient algorithm that finds a composition 
series of a matrix group. There exists a recursive algorithm [LGOl] for this, which 
relies on a number of other algorithms that determine which kind of geometric 
structure is preserved, and the base cases in the recursion are the classes of finite 
simple groups. 

Hence this algorithm reduces the problem of finding a composition series to 
various problems concerning the composition factors of the matrix group, which 
are simple groups. The work presented here is about computing with some of these 
simple groups. 

For each simple group, a number of problems arise. The simple group is given as 
G = {X) ^ PGL(d, q) for some d, q and we need to consider the following problems: 

(1) The problem of recognition or naming of G, i.e. decide the name of G, as 
in the classification of the finite simple groups. 

(2) The constructive membership problem. Given g G PGL(d, q), decide whether 
or not g € G, and if so express g as a straight line program in X . 

(3) The problem of constructive recognition. Construct an isomorphism ip from 
G to a standard copy H of G such that ip{g) can be computed efficiently 
for every g G G. Such an isomorphism is called effective. Also of interest is 
to construct an effective inverse of ifi^^, which essentially is constructive 
membership testing. 

To find a composition series using |LG01j . the problems involving the com- 
position factors that we need to solve are naming and constructive membership. 
However, the effective isomorphisms of these composition factors to standard copies 
can also be very useful. Given such isomorphisms, many problems, sometimes in- 
cluding constructive membership, can be reduced to the standard copies. Hence 
these isomorphisms play a central role in computing with a matrix group once a 
composition series has been constructed. 
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In general, the constructive recognition problem is computationally harder than 
the constructive membership problem, which in turn is harder than the naming 
problem. Most of our efforts will therefore go towards solving constructive recog- 
nition. In fact, the naming problem is not considered in every case here, since the 
algorithm of |BKPS02] solves this problem. However, that algorithm is a Monte 
Carlo algorithm, and in some cases we can improve on that and provide Las Vegas 
algorithms (see Section ri.2.2|) . 

The algorithms presented here are not black box algorithms, but rely heavily 
on the fact that the group elements are matrices, and use the representation the- 
ory of the groups in question. However, the algorithms will work with all possible 
representations of the groups, so a user of the algorithms can consider them black 
box in that sense. 

1.2. Preliminaries 

We now give preliminary discussions and results that will be necessary later 

on. 

1.2.1. Complexity. We shall be concerned with the time complexity of the 
algorithms involved, where the basic operations are the field operations, and not 
the bit operations. All simple arithmetic with matrices can be done using 0(^d^) 
field operations, and raising a matrix to the 0(g) power can be done using ©(d"^) 
field operations using |CLG97] . These complexity bounds arise when using the 
naive matrix multiplication algorithm, which uses O(ci^) field operations to multiply 
two d X d matrices. More efficient algorithms for matrix multiplication do exist. 
Some are also fast in practice, like the famous algorithm of Strassen |Str69j . which 
uses 0((i'°S2 7^ Held operations. Currently, the most efficient matrix multiplication 
algorithm is the Coppersmith- Winograd algorithm of [CW90t ICKSU05] . which 
uses 0(d^ '^^^) field operations, but it is not practical. The improvements made by 
these algorithms over the naive matrix multiplication algorithm are not noticeable 
in practice for the matrix dimensions that are currently within range in the MGRP. 
Therefore we will only use the naive algorithm, which also simplifies the complexity 
statements. 

When we are given a group G ^ GL{d, q) defined by a set X of generators, the 
size of the input is 0(|X| d^log(g)). A field element takes up 0(\og{q)) space, and 
a matrix has d^ entries. 

We shall often assume an oracle for the discrete logarithm problem in (see 
|vzGG03l Section 20.3] and |Shp99[ Chapter 3]). In the general discrete logarithm 
problem, we consider a cyclic group G of order n. The input is a generator a of 
G, and some x G G. The task is to find 1 ^ fc < n such that a'' — x. In 
the multiplicative group is cyclic, and the discrete logarithm problem turns 
up. It is a famous and well-studied problem in theoretical computer science and 
computational number theory, and it is unknown if it is NP-complete or if it is in P, 
although the latter would be very surprising. Currently the most efficient algorithm 
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has sub-exponential complexity. There are also algorithms for special cases, and an 
important case for us is when q = 2^. Then we can use Coppersmith's algorithm 
of |Cop84| i IGM93j . which is much faster in practice than the general algorithms. 
It is not polynomial time, but has time complexity 0(exp(cn^/^ log(n)^/'^)) , where 
c > is a small constant. We shall assume that the discrete logarithm oracle in 
uses 0(x_d((j')) field operations. 

Similarly we will sometimes assume an oracle for the integer factorisation prob- 
lem (see jvzGG03t Chapter 19]), whose status in the complexity hierarchy is similar 
to the discrete logarithm problem. More precisely, we shall assume we have an or- 
acle that, given d ^ 1 and Fg, factorises all the integers — 1 for 1 ^ « ^ d, using 
0(xF(rf, q)) field operations. By [BB991 Theorem 8.2], assuming the Extended Rie- 
mann Hypothesis this is equivalent to the standard integer factorisation problem. 
The reason for having this slightly different factorisation oracle will become clear 
in Section [1.2.51 

Except for these oracles, our algorithms will be polynomial time, so from a 
computational complexity perspective our results will imply that the problems we 
study can be reduced to the discrete logarithm problem or the integer factorisation 
problem. This is in line with MGRP, whose goal from a complexity point of view 
is to prove that computations with matrix groups are not harder than (and hence 
equally hard as) these two well-known problems. 

1.2.2. Probabilistic algorithms. The algorithms we consider are probabilis- 
tic of the types known as Monte Carlo or Las Vegas algorithms. These types of 
algorithms are discussed in [Ser03|. Section 1.3] and [HEO051 Sect ion 3.2.1]. In 
short, a Monte Carlo algorithm for a language X is a probabilistic algorithm with 
an input parameter e € (0,1) such that on input x 

• if a; G X then the algorithm returns true with probability at least I — s 
(otherwise it returns false), 

• if a; ^ X then the algorithm returns false. 

The parameter e is therefore the maximum error probability. This type of algo- 
rithm is also called one-sided Monte Carlo algorithm with no false negatives. The 
languages with such algorithms form the complexity class RP. In the same way 
one can define algorithms with no false positives, and the corresponding languages 
form the class co-RP. The class ZPP — RPnco-RP consists of the languages 
that have Las Vegas algorithms, and these are the type of algorithms that we will 
be most concerned with. A Las Vegas algorithm cither returns failure, with prob- 
ability at most £, or otherwise returns a correct result. Such an algorithm is easily 
contructed given a Monte Carlo algorithm of each type. The time complexity of a 
Las Vegas algorithm naturally depends on e. 

Las Vegas algorithms can be presented concisely as probabilistic algorithms 
that either return a correct result, with probability bounded below by l/p{n) for 
some polynomial p{n) in the size n of the input, or otherwise return failure. By 



1.2. PRELIMINARIES 



14 



enclosing such an algorithm in a loop that iterates [loge/log(l — l/p[n))\ times, 
we obtain an algorithm that returns failure with probability at most e, and hence 
is a Las Vegas algorithm in the above sense. Clearly if the enclosed algorithm is 
polynomial time, the Las Vegas algorithm is polynomial time. 

One can also enclose the algorithm in a loop that iterates until the algorithm 
returns a correct result, thus obtaining a probabilistic time complexity, and the 
expected number of iterations is then 0(p(ri)). This is the way we present Las 
Vegas algorithms since it is the one that is closest to how the algorithm is used in 
practice. 

1.2.3. Straight line programs. For constructive membership testing, we 
want to express an element of a group G = {X) as a word in X. Actually, it should 
be a straight line program, abbreviated to SLP. If we express the elements as words, 
the length of the words might be too large, requiring exponential space complexity. 

An SLP is a data structure for words, which ensures that during evaluation, 
subwords occurring multiple times are not computed more often than during con- 
struction. Often we want to express an element as an SLP in order to obtain its 
homomorphic image in another group H ~ {Y) where \X\ ~ \Y\. The evaluation 
time for the SLP is then bounded by the time to construct it times the ratio of the 
time required for a group operation in H and in G. 

Formally, given a set of generators X, an SLP is a sequence (si , S2, . . . , s„) where 
each Si represents one of the following 

• an X e A" 

• a product sjSk, where j,k < i 

• a power s" where j < i and n ^'L 

• a conjugate s^'' where j,k < i 

so Si is either a pointer into A, a pair of pointers to earlier elements of the sequence, 
or a pointer to an earlier element and an integer. 

To construct an SLP for a word, one starts by listing pointers to the generators 
of A, and then builds up the word. To evaluate the SLP, go through the sequence 
and perform the specified operations. Since we use pointers to the elements of A, 
we can immediately evaluate the SLP on Y , by just changing the pointers so that 
they point to elements of Y . 

1.2.4. Solving polynomial equations. One of the main themes in this work 
is that we reduce search problems in computational group theory to the problem 
of solving polynomial equations over finite fields. The method we use to find the 
solutions of a system of polynomial equations is the classical resultant technique, 
described in [vzGGOS] Section 6.8]. For completeness, we also state the corre- 
sponding result for univariate polynomials. 

Theorem 1.1. Let f G Vq[x] have degree d. There exists a Las Vegas algo- 
rithm that finds all the roots of f that lie in ¥q . The expected time complexity is 
0(cJ(logd)^ loglog((i) log(dq)) field operations. 
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Proof. Immediate from jvzGGOSl Corollary 14.16]. 



□ 



Theorem 1.2. Let fi,...,fk G Wq[x,y] = R be such that the ideal I = 
{fi,...,fk) ^ R is zero-dimensional. Let — max^ deg^. ^ maxj degy = 
riy . There exists a Las Vegas algorithm that finds the corresponding affine variety 
V{I) C F^. The expected time complexity is 0{kn^^{\ognxf'\og\og{nx)\og{nxqy) 
field operations. 

Proof. Following [vzGG03| Section 6.8], we compute fc— 1 pairwise resultants 
of the fi with respect to y to obtain k—1 univariate polynomials in x. By [vzGG03l 
Theorem 6.37], the expected time complexity will be 0(fc(nj,ri^ + "-^^j/)) fi^ld op- 
erations and the resultants will be non-zero since the ideal is zero-dimensional. 

We can find the set Xi of roots of the first polynomial, then find the roots X2 of 
the second polynomial and simultaneously find Xi n X2. By continuing in the same 
way we can find the set X of common roots of the resultants. Since their degrees will 
be O(n^), by Theorem ll.ll we can find X using 0(fcn^ (log (n^))^ log log(rt^) \og[n'^q)) 
field operations. Clearly \X\ ^ O(n^). 

We then substitute each a ^ X into the k polynomials and obtain univariate 
polynomials /i(a, y), . . . , /fc(a, y). These will have degrees 0{ny) and as above we 
find the set Yq of their common roots using 0(fcny(log (ny))^ loglog(ny) log(ny(7)) 
field operations. Clearly V{I) = {(a, 6) | a e X, 6 G Yg} and hence we can find V{I) 
using 0(|X| fcny(log (n^))^ loglog(nj^) \og{nyq)) field operations. Thus the time com- 
plexity is as stated. □ 

The following result is a generalisation of the previous result, and we omit the 
proof, since it is complicated and outside the scope of this thesis. 

Theorem 1.3. Let /i, . . . , fk e Fg[a;i, . . . ,Xk] — F be such that the ideal I = 
(/i, . . . , fk) ^ F is zero-dimensional. Let n = max^j deg^^. fi. There exists a Las 
Vegas algorithm that finds the corresponding affine variety V{I) C F^. The expected 
time complexity is 0((fcn'^ -|- n*''fc^(logn)^ loglog(n*'') log(n'^g))'^') field operations. 

As can be seen, if the number of equations, the number of variables and the 
degree of the equations are constant, then the variety of a zero-dimensional ideal 
can be found in polynomial time. That is the situation we will be most concerned 
with. As an alternative to the resultant technique, one can compute a Grobner 
basis and then find the variety. By [LL91| , if the ideal is zero-dimensional the time 



k is the number of variables. Hence in the situation above this will be polynomial 
time. 

1.2.5. Orders of invertible matrices. The order of a group element g is the 
smallest fc e N such that g'^ — 1. We denote the order of g by \g\. For elements g of 
a matrix group G ^ GL(d, q), an algorithm for finding j^j is presented in |CLG97j . 
In general, to obtain the precise order, this algorithm requires a factorisation of 




where n is the maximum degree of the polynomials and 
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— 1 for 1 ^ i ^ d, otherwise it might return a multiple of the correct order. 
Therefore it depends on the presumably difficult problem of integer factorisation, 
see |vzGG031 Chapter 19]. 

However, in most of the cases we will consider, it will turn out that a multiple of 
the correct order will be sufficient. For example, at certain points in our algorithms 
we shall be concerned with finding elements of order dividing q—1. Hence if we use 
the above algorithm to find the order oi g G G and it reports that \g\ = q — 1, this 
is sufficient for us to use even though we might have \g\ properly dividing q — I. 
Hence integer factorisation is avoided in this case. 

In [BB991 Section 8] the concept of pseudo-order is defined. A pseudo-order 
of an element g is a product of primes and pseudo-primes. A pseudo- prime is a 
composite factor oiq^ — 1 for some i ^ d that cannot conveniently be factorised. The 
order of g is a factor of the pseudo-order in which each pseudo-prime is replaced by 
a non-identity factor of that pseudo-prime. Hence a pseudo-prime is not a multiple 
of a "known" prime, and any two pseudo-primes are relatively prime. 

The algorithm of [CLG97) can also be used to obtain a pseudo-order, and for 
this it has time complexity 0((i'^ log (q) loglog (g"*)) field operations. In fact, the 
algorithm computes the order factorised into primes and pseudo-primes. However, 
even if we have just the pseudo-order, we can still determine if a given prime divides 
the order, without integer factorisation. 

Proposition 1.4. Let G ^ Gh{d,q). There exists a Las Vegas algorithm that, 
given g G, a prime p Cz N and e G N, determines if p"^ \ \g\ and if so finds the 
power of g of order p'^, using ©(d"^ log((7) loglog(5'^)) field operations. 

Proof. Use |CLG97] to find a pseudo-order n of g. Assume that n — p^s 
where p \ s, and |g| = p'r where p \ r, I ^ k and r \ s. Since p is given, [CLG97] 
will make sure that fc = ^, so we assume that this is the case. Moreover, from 
[CLG97j we see gcd(r, s/r) = 1. If a prime pi divides s/r we must have pi ^ p. So 
if pi I l^l we must have pi \ r and hence pi = 1. Thus gcd(s/r, j^l) = 1. 

Hence \g'/''\ = \g''\ = and \g^\ = \{g'''''Y\ = p'. Therefore ^ 1 if 

and only if p^ | l^j. Then g'^P has order p*^. □ 

1.2.6. Random group elements. Our analysis assumes that we can con- 
struct uniformly (or nearly uniformly) distributed random elements of a group 
G = {X) ^ GL{d,q). The algorithm of [Ba b91j produces independent nearly uni- 
formly distributed random elements, but it is not a practical algorithm. It has a 
preprocessing step with time complexity ©(logjCI^) group operations, and each 
random element is then found using 0(log |G|) group operations. 

A more commonly used algorithm is the product replacement algorithm of 
CLGM+95] . It also consists of a preprocessing step, which is polynomial time 
by [PakOOj . and each random element is then found using a constant number of 
group operations (usually 2). This algorithm is practical and included in Magma 
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and GAP. Most of the theory about it is summarised in [PakOlj . For a discussion 
of both these algorithms, see [Ser03[ pp. 26-30]. 

We shall assume that we have a random element oracle, which produces a 
uniformly random element of {X) using 0(^((i)) field operations, and returns it as 
an SLP in X. 

An important issue is the length of the SLPs that are computed. The length of 
the SLPs must be polynomial, otherwise it would not be polynomial time to evaluate 
them. We assume that SLPs of random elements have length 0(n) where n is the 
number of random elements that have been selected so far during the execution of 
the algorithm. 

In [LGM02] , a variant of the product replacement algorithm is presented that 
finds random elements of the normal closure of a subgroup. This will be used here 
to find random elements of the derived subgroup of a group {X), using the fact 
that this is precisely the normal closure of ([a;, y] : a;, y € X). 

1.2.7. Constructive recognition overvievif. If V is an i^G-module for some 
group G and field F, with action f : V x FG V, and if $ is an automorphism 
of G, denote by the i^G-module which has the same elements as V and where 
the action is given by {v,g) i-^ f{v,^{g)) for g E G and v G , extended to FG 
by linearity. We call a twisted version of V, or V twisted by $. If G is a matrix 
group and the automorphism $ is a field automorphism, we call it a Galois twist. 

From [HEO051 Section 7.5.4] we know that G preserves a classical (non- 
unitary) form if and only if V is isomorphic to its dual. We shall use this fact 
occasionally. 

When we say that an algorithm is "given a group (X)" , then the generating 
set X is fixed and known to the algorithm. In other words, the algorithm is given 
the generating set X and will operate in {X) . 

Definition 1.5. Let G,H be matrix groups. An isomorphism tp : G ^ H is 
effective if there exists a polynomial time Las Vegas algorithm that computes ip{g) 
for any given g £ G. 

Of course, an effective isomorphism might be deterministic, since P C ZPP. 

Definition 1.6. The problem of constructive recognition is: 
Input: A matrix group G = {X) with standard copy H = G. 
Ouput: An effective isomorphism ip : G ^ H, such that tp^^ is also effective. 

Now consider an exceptional group with standard copy H ^ GL((i, F^), where 
¥q has characteristic p. The standard copies of the exceptional groups under consid- 
eration will be defined in Chapter[21 Our algorithms should be able to constructively 
recognise any input group G ^ GL(d', q') that is isomorphic to H. 

The assumptions that we make on the input group G are: 

(1) G acts absolutely irreducibly on F^, , 

(2) G is written over the minimal field modulo scalars, 
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(3) G is known to be isomorphic to H, and hence d and q are known. 

A user of our algorithms can easily first apply the algorithms of }HR94] and 
|GLGO06] , described in Sections 11.2.10.11 and 11.2.10.21 to make the group satisfy 
the first two assumptions. The last two assumptions remove much of the need for 
input verification using non-explicit recognition. They arc motivated by the context 
in which our algorithms are supposed to be used. The idea is that our algorithms 
will serve as a base case for the algorithm of [LGOl] or a similar algorithm. In 
the base case it will be known that the group under consideration is almost simple 
modulo scalars. We can then assume that the algorithm can decide if it is dealing 
with a group of Lie type. Then it can use the Monte Carlo algorithm of [OL05| to 
determine the defining characteristic of the group, and next use the Monte Carlo 
algorithm of [BKPSC)2] to determine the name of the group, as well as the defining 
field size q. This standard machinery motivates our assumptions. Because the group 
has only been identified by a Monte Carlo algorithm, there is a small non-zero 
probability that our algorithms might be executed on the wrong group. This has 
to be kept in mind when implementing the algorithms. 

We do not assume that the input is tensor indecomposable, since the tensor 
decomposition algorithm described in Section [1.2. 10. 31 is not polynomial time. 

A number of different cases arise: 

(1) G ^ GL((i', ¥qi ) where Fg/ has characteristic p' ^ p. This is called the cross 
characteristic case. Then |LS74) and [SZ93) tells us that q € 0(/(d')) 
for some polynomial /. This means that q is polynomial in the size of 
the input, which is not the case in general. In this case we can therefore 
use algorithms which normally are exponential time. In particular, by 
}BB99| Theorem 8.6] we can use the classical permutation group methods. 
Therefore we will only consider the case when we are given a group in 
defining characteristic, so that p = p' . 

(2) G < GL(d',F^) where d' > d and F,. Let W be the module of G. 
If W is isomorphic to a tensor product of two modules which both have 
dimension less than dim VF, then we say that W is tensor decomposable. 
Otherwise W is tensor indecomposable. 

Every possible W is isomorphic to a tensor product of twisted versions 
of tensor indecomposable modules of G (and hence of H) . By the Steinberg 
tensor product theorem of [Ste63] , in our cases the twists are Galois twists 
and the number of tensor indecomposable modules is independent of the 
field size, up to twists. 

If W is tensor decomposable, we want to construct a tensor indecom- 
posable representation V of G. In general, this is done using the tensor 
decomposition algorithm described in Section 11.2.10.31 on W, which also 
provides an effective isomorphism from IF to {i.e. between their acting 
groups). But since the algorithm is not polynomial time, a special version 
of one its subroutines has to be provided for each exceptional group. 
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If W is tensor indecomposable, we want to construct a representation 
y of G of dimension d, and we want do it in a way that also constructs an 
effective isomorphism. In principle this is always possible by computing 
tensor products of W and chopping them with the MeatAxe, because a 
composition factor of dimension d will always turn up. However, this is not 
always a practical algorithm, and the time complexity is not very good. 

Note that if the minimal field is a proper subfield of Fg, then the 
tensor decomposition will not succeed. Since we assume that we know q, 
we can embed W canonically into an FgG-modulc. In this case we shall 
therefore always assume that s = q, contrary to our second assumption 
above. 

(3) G GL{d, ¥g), so that, by |Ste63] . G is conjugate to H in GL{d, ¥q). This 
is the most interesting case since there are no standard methods, and we 
shall devote much efi'ort to this case for the exceptional groups that we 
consider. A central issue will be to find elements of order a multiple of p. 
This is a serious obstacle since by |IKS95l IGLOlj , the proportion p{G) 
of these elements in G satisfies 

A<,(G)<^. (1.1) 

Hence we cannot find elements of order a multiple of p by random search 
in polynomial time, so there is no straightforward way to find them. 

To be able to deal with these various cases, we need to know all the absolutely 
irreducible tensor indecomposable representations of H in defining characteristic. 
We also need to know how they arise from the natural representation, which is the 
representation of dimension d over Fg. In our cases, this information is provided by 
[LubOlj . 

1.2.8. Constructive membership testing overview. The other computa- 
tional problem that wc shall consider is the following. 

Definition 1.7. The problem of constructive membership testing is: 
Input: A matrix group G — {X), an element g E U ^ G. 
Output: If g S G, then true and an SLP for g in X, false otherwise. 

In our cases, U is always taken to be the general linear group. One can take 
two slightly different approaches to the problem of expressing an element as an 
SLP in the given generators, depending on whether one wants to find an effective 
isomorphism or find standard generators. 

(1) The approach using an effective isomorphism. 

(a) Given G = {X) with standard copy H, first solve constructive recog- 
nition and obtain an effective isomorphism ip : G H. Hence obtain 
a generating set (p{X) of H. 

(b) Given g & G, express (f{g) as an SLP in >f{X), hence also expressing 
g in X. 
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(2) The approach using standard generators. 

(a) Given G = {X) with standard copy H ^ {yi, . . . ,yk), find Qi, ■ ■ ■ ,gk G 
G as SLPs in X, such that the mapping gi yi is an isomorphism. 

(b) Given g G G, express g as an SLP in {gi, . . . , gk}, hence also express- 
ing it in X. 

In the first case, the constructive membership testing takes place in H, which 
is probably faster than in G, so in this case wc use the standard copy in computa- 
tions. In the second case, the standard copy is only used as a theoretical tool. As it 
stands, the first approach is stronger, since it provides the effective isomorphism, 
and the standard generators in G can be obtained in the first approach, if necessary. 
However, if the representation theory of G is known, so that we can construct a 
module isomorphic to the module of G from the module of H, then the standard 
generators can be used, together with the MeatAxe, to solve constructive recog- 
nition. Hence the two approaches are not very different. One can also mix them 
in various ways, for example in the first case by finding standard generators in H 
expressed in ip{X), and then only express each element in the standard generators, 
which might be easier than to express the elements directly in <fi{X). 

1.2.9. CGT methods. Here we describe some algorithmic methods that we 
will use. Like many methods in CGT they are not really algorithms {i.e. they may 
not terminate on all inputs), or if they are they have very bad (worst-case) time 
complexity. Nevertheless, they can be useful for particular groups, as in our cases. 

1.2.9.1. The dihedral trick. This trick is a method for conjugating involutions 
(i.e. elements of order 2) to each other in a black-box group, defined by a set of 
generators. The nice feature is that if the involutions are given as straight line 
programs in the generators, the conjugating element will be found as a straight line 
program. The dihedral trick is based on the following observation. 

Proposition 1.8. Let G be a group and let a,b G G be involutions such that 
\ba\ =2k + l for some k gZ. Then {ba^ conjugates a to b. 

Proof. Observe that 

{ha)-^a{ba)^ = {baf+^a{baf = {ba)^b{baf = {ba)^a{baf-^ = ... = {ba)a = b 

since a and b are involutions. □ 

Theorem 1.9 (The dihedral trick). Let G = {X) < GL(rf, 5). Assume that the 
probability of the product of two random conjugate involutions in G having odd order 
is at least 1/c. There exists a Las Vegas algorithm that, given conjugate involutions 
a,b G G, finds g G G such that = b. If a,b are given as SLPs of lengths la,lb, 
then g will be found as an SLP of length 0(c(Zo -|- Zb)) . The algorithm has expected 
time complexity 0(c(^(rf) -|- rf^ log(g') loglog(g'^))) field operations. 

Proof. The algorithm proceeds as follows: 
(1) Find random h G G and let ai = a^. 
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(2) Let bi — bai. Use Proposition 11.41 to determine if hi has even order, and 
if so, return to the first step. 

(3) Let n = (|6i| - l)/2 and let g = hV^ = h{aHY . 

By Proposition II. 81 this is a Las Vegas algorithm. The probability that bi has 
odd order is 1/c and hence the expected time complexity is as stated. Note that if 
a and b are given as SLPs in X, then we obtain g as an SLP in X. □ 



1.2.9.2. Involution centralisers. In |HLO"'"06] an algorithm is described that 
reduces the constructive membership problem in a group G to the same problem 
in three involution centralisers in G. The reduction algorithm is known as the Ryba 
algorithm and can be a convenient method to solve the constructive membership 
problem. However, there are obstacles: 

(1) We have to solve the constructive membership problem in the involution 
centralisers of G. In principle this can be done using the Ryba algorithm 
recursively, but such a blind descent might not be very satisfactory. For 
instance, it might not be easy to determine the time complexity of such 
a procedure. Another approach is to provide a special algorithm for the 
involution centraliser. This assumes that the structure of G and its invo- 
lution centralisers are known, which it will be in the cases we consider. 

(2) We have to find involutions in G. As described in Section [1.2.71 this is a 
serious obstacle if the defining field Fg of G has characteristic 2. In odd 
characteristic the situation is better, and in HLO+06] it is proved that 



the Ryba algorithm is polynomial time in this case. Another approach is 
to provide a special algorithm that finds involutions. 
(3) We have to find generators Y for CgU) of a given involution j E G = {X). 
This is possible using the Bray algorithm of |BraOO] . It works by com- 
puting random elements of Ccij) until the whole centraliser is generated. 
This automatically gives the elements of Y as SLPs in X, which is a central 
feature needed by the Ryba algorithm. 

There are two issues involved when using this algorithm. First, the 
generators that are computed may not be uniformly random in Cg(j), so 



that we might have trouble generating the whole centraliser. In HLO+06) 
it is shown that this is not a problem with the exceptional groups. Second, 
we need to provide an algorithm that determines if the whole centraliser 
has been generated. In the cases that we will consider, this will be possible. 
It should be noted that the Bray algorithm works for any black-box group 
and not just for matrix groups. 

Given these obstacles, we will still use the Ryba algorithm for constructive 
membership testing in some cases. We will also use the Bray algorithm indepen- 
dently, since it is a powerful tool. 
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1.2.9.3. The Formula. Like the dihedral trick, this is a method for conjugating 
elements to each other. For a group G, denote by ^{G) the Frattini subgroup of G, 
which is the intersection of the maximal subgroups of G. 

Lemma 1.10 (The Formula). Let G ^ H:Cn, where H is a 2-group and n is 
odd. If a,b dz G have order n = 2k + 1 and a = b mod H , then b = a^ mod ^{H) 
where g = {ba^ . 

Proof. The orders of a, b are their orders in C„. Hence we can replace H with 
H/^{H) without affecting the rest of the assumptions. We can therefore reduce to 
the case when = (1), in other words when H is elementary abelian. 

Then a — aig, b = big, with j^l = n and ai,6i G H. We want to prove that 
a'' = b where h ~ [ba)^ or equivalently that {ba)^b — a{ba)^ . 

Now (60)*^ — (bigaig)^ — (6iaf g^)*^. We can move all occurrences of g to the 
right, so that 

{baf = ^2fc 
from which we see that 

and we want these to be equal. Since g^fe+i _ ggg ^j^g^^ {ba)^b,a{ba)^ £ H, 

and because H is elementary abelian, they are equal if and only if their product 
is the identity. But clearly {ba)^ba{ba)^ = bfaf, where s = X]i=o5 ^ ^'^'^ finally 
6faf = (6ig)2'=+i(ai.g)2''^+i = 1. □ 

Corollary 1.11. Let H ^ P: C„, where P is a 2-group and n is odd, and let 
G 5^ H:S for some group S . If a £ H has order n = 2k + I then for h £ G, such 
that a = mod P, we have ^ = a mod ^{P), where g — {a^a)^ . 

Proof. Observe that both a and have order n and lie in < G. Now apply 
Lemma ri. 101 conclude that = mod <&(-P), and the result follows. □ 

1.2.9.4. Recognition o/PSL(2, q). In [CLGOOG] . an algorithm for constructive 
recognition and constructive membership testing of PSL(2, q) is presented. This 
algorithm is in several aspects the original which our algorithms are modelled after, 
and it is in itself an extension of [CLGOl] , which handles the natural representation. 

We will use |CLGOd6] since PSL(2, q) arise as subgroups of some of the excep- 
tional groups that we consider. Because of this, we state the main results here. Let 
(To(d) be the number of divisors of d e N. From [HW79|, pp. 64, 359, 262], we know 
that for every e > 0, if d is sufficiently large then CTo(d) < 2(i+^)i°So('i)/iogiog„(d)_ 

Here, PSL(2, g) is viewed as a quotient of SL(2, g). Hence the elements are 
cosets of matrices. 
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Theorem 1.12. Assume an oracle for the discrete logarithm problem in ¥q. 
There exists a Las Vegas algorithm that, given (X) ^ GL(d, q) satisfying the as- 
sumptions in Section al. 2. 71 with {X) ^ (P)Sh{2, q) and q ~ p"^, finds an effective 
isomorphism if : {X) (P)SL(2, (7) and performs preprocessing for constructive 
membership testing. The algorithm has expected time complexity 

0{{ad)+dHog{q)log\og{q''))log\og{q) + d^ao{d) \X\ + dxuiq) + 

field operations. 

The inverse of ip is also effective. Each image of ip can be computed using 
0(c?'^) field operations, and each pre-image using 0(^3 log((7) log log(g) +e3) field 
operations. After the algorithm has run, constructive membership testing of g G 
GL(d, q) uses ©(d^ ^og{q) loglog((7) + e"^) field operations, and the resulting SLP has 
length 0(log(g) loglog(g)) . 

The existence of this constructive recognition algorithm has led to several 
other constructive recognition algorithms for the classical groups [BKOll IBroOSal 
IBroOSb], IBK06| . which are polynomial time assuming an oracle for constructive 
recognition of PSL(2, q). 

In some situations we shall also need a fast non-constructive recognition algo- 
rithm of PSL(2, q). It will be used to test if a given subgroup of PSL(2, q) is in fact 
the whole of PSL{2,q), so it is enough to have a Monte Carlo algorithm with no 
false positives. We need to use it in any representation, so the correct context is a 
black-box group. 

Theorem 1.13. Let G = {X) ^ Gh{d,q'). Assume that G is isomorphic to a 
subgroup of PSL(2, q) and that q is known. There exists a one-sided Monte Carlo 
algorithm with no false positives that determines if G ^ PSL(2, q). Given maximum 
error probability e > 0, the time complexity is 

0((C(d) -Hd3log(g)loglog(g'^)) \\og{e)/log{S)]) 

field operations, where 

<5 = (1 - 0(9 - l)/{q - 1))(1 - cPiq + l)/{q + 1)). 

Proof. It is well known that PSL(2,Fq) is generated by two elements having 
order dividing {q ± l)/2, unless one of them lie in PSL(2,Fs) for some < F^. 
We are thus led to an algorithm that performs at most n steps. In each step it 
finds two random elements g and h oi G and computes their pseudo-orders. If g has 
order dividing {q — l)/2, it then determines if g lies in some PSL(2,Fs) by testing 
if g(*^i'/2 — I, If q = p'^ then the possible values of s are p'' where 6 | a, so there 
are ao{a) subfields. If g does not lie in any PSL(2,Fs) then g is remembered. 

Now do similarly for h. Then, if it has found the two elements, it returns true. 
On the other hand, if it completes the n steps without finding these elements, it 
returns false. 
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The proportion in PSL(2,(7) of elements of order (q ± l)/2 is ^((j ± l)/(g± 1), 
so the probabihty that G = PSL(2, q) but we fail to find the elements is at most 
6". We require J" < e and hence n can be chosen as [log(£)/ log(5)] . □ 

1.2.10. Aschbacher classes. The Aschbacher classification of jAsc84) clas- 
sifies matrix groups into a number of classes, and a major part of the MGRP has 
been to develop algorithms that determine constructively if a given matrix group 
belongs to a certain class. Some of these algorithms are used here. 

1.2.10.1. The MeatAxe. Let G = (A) GL{d,q) acting on a module V ^ F^. 
The algorithm known as the MeatAxe determines if V is irreducible. If not, it finds 
a proper non-trivial submodule W of V, and a change of basis matrix c G GL(d, q) 
that exhibits the action of G on Vl^ and on V/W. In other words, the first dimll^ 
rows of c form a basis of W, and g'^ is block lower triangular for every g ^ G. 

Applying the MeatAxe recursively, one finds a composition series of V, and 
a change of basis that exhibits the action of G on the composition factors of V. 
Hence we also obtain effective isomorphisms from G to the groups acting on the 
composition factors of V. 

The MeatAxe was originally developed by Parker in [Par84] and later extended 
and formalised into a Las Vegas algorithm by Holt and Rees in [HR94| . They also 
explain how very similar algorithms can be used to test if V is absolutely irreducible, 
and if two modules are isomorphic. These are also Las Vegas algorithms with the 
same time complexity as the MeatAxe. The worst case of the MeatAxe is treated 
in [ILOO] ■ where it is proved that the expected time complexity is 0(|A| d*) field 
operations. Unless the module is reducible and all composition factors of the module 
are isomorphic, the expected time complexity is 0(|A| d'^) field operations. 

The MeatAxe is also fast in practice and is implemented both in Magma and 
GAP. This important feature is the reason that it is used rather than the first known 
polynomial time algorithm for the same problem, which was given in |R6n90j (and 
is, at best, 0{\X\d^)). 

Some related problems are the following: 

• Determine if G acts absolutely irreducibly on V. 

• Given two irreducible G-modules U, W of dimension d, determine if they 
are isomorphic, and if so find a change of basis matrix c € GL(fi, g) that 
conjugates U to W. 

• Given that G acts absolutely irreducibly on V , determine if G preserves 
a classical form and if so find a matrix for the form. 

• Find a basis for EndG(V^) as matrices of degree d. 

Algorithms for these problems are described in [HEO051 Section 7.5] and they 
all have expected time complexity 0(|A| d^) field operations. We will refer to the 
algorithms for all these problems as "the MeatAxe" . 

1.2.10.2. Writing matrix groups over subfields. If G = (A) ^ GL(d, Fg), then 
G might be conjugate in GL(d, F,) to a subgroup of GL(d, F^) where F^ < Fg, 
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SO that q is a. proper power of s. An algorithm for deciding if this is case is 
given in [GLGOOG] , It is a Las Vegas algorithm with expected time complex- 
ity O(cro(log((j'))(|-^ I d'^ + (P log(g))) field operations. In case G can be written over 
a subfield, then the algorithm also returns a conjugating matrix c that exhibits this 
fact, i.e. so that G"^ can be immediately embedded in GL{d, F^). The algorithm can 
also write a group over a subfield modulo scalars. 

1.2.10.3. Tensor decomposition. Now let G = {X) ^ GL{d, q) acting on a mod- 
ule V = F^. The module might have the structure of a tensor product V = Ui®U2, 
so that G s: Gi o G2 where Gi < GL(J7i) and G2 < GL(f72)- 

The Las Vegas algorithm of |LG097a] determines if V has the structure of a 
tensor product, and if so it also returns a change of basis c e GL(d, q) which exhibits 
the tensor decomposition. In other words, g'^ is an explicit Kronecker product for 
each g G G. The images of g in Gi and G2 can therefore immediately be extracted 
from g'^, and hence we obtain an effective embedding of G into Gi o G2. 

By |LG097b] , for tensor decomposition it is sufficient to find a flat in a pro- 
jective geometry corresponding to the decomposition. A flat is a subspace of V of 
the form A^U2 or Ui®B where A and B are proper subspaces oiUi and U2 respec- 
tively. This flat contains a point, which is a flat with dim A = \ ov dim i? = 1 . If we 
can provide a proposed flat to the algorithm of [LG097a| , then it will verify that 
it is a flat, and if so find a tensor decomposition, using expected 0(|X| log(g)) 
field operations. 

However, in general there is no efficient algorithm for finding a flat of V . If we 
want a polynomial time algorithm for decomposing a specific tensor product, we 
therefore have to provide an efficient algorithm that finds a fiat. 

1.2.11. Conjectures. Most of the results presented will depend on a few 
conjectures. This might be considered awkward and somewhat non-mathematical, 
but it is a result of how the work in this thesis was produced. In almost every 
case with the algorithms that are presented, the implementation of the algorithm 
did exist before the proof of correctness of the algorithm. In fact, the algorithms 
have been developed using a rather empirical method, an interplay between theory 
(mathematical thought) and practice (programming). We consider this to be an 
essential feature of the work, and it has proven to be an effective way to develop 
algorithms that are good in both theory and practice. 

However, it has lead to the fact that there are certain results that have been left 
unproven, either because they have been too hard to prove or have been from an 
area of mathematics outside the scope of this thesis (usually both) . But because of 
the way the algorithms have been developed, there should be no doubt that every 
one of the conjectures are true. The implementations of the algorithms have been 
tested on a vast number of inputs, and therefore the conjectures have also been 
tested equally many times. There has been no case of a conjecture failing. 

More detailed information about the implementations can be found in Chapter 

El 
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Twisted exceptional groups 

Here we will present the necessary theory about the twisted groups under con- 
sideration. 



2.1. Suzuki groups 

The family of exceptional groups now known as the Suzuki groups were first 
found by Suzuki in [Suz60l [Suz62l ISuz64] . and also described in |HB82[ Chapter 
11] which is the exposition that we follow. They should not be confused with the 
Suzuki 2-groups or the sporadic Suzuki group. 



2.1.1. Definition and properties. We begin by defining our standard copy 
of the Suzuki group. Following |HB82( Chapter 11], let g = 22"+! for some m > 
and let tt be the unique automorphism of Fg such that 7r^(a;) = for every a; e Fg, 
i.e. tt{x) = X* where t — 2™+-'^ 
matrices: 



2q. For a,b £¥q and c G F^ , define the following 
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Sz(g) = {S{a,b),M{c),T\ a, 5 e F,, c e F^^) 



(2.1) 
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T={S{a,b) |a,&eFJ 
n={M{c)\ce¥-^] 



(2.5) 
(2.6) 
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then T ^ Sz((3') with \T\ — and 7i = so that Ti is cydic of order q — 1. 
Moreover, we can write M(c) as 



M(c) = Af'(A) 



where A = c^". Hence M(A)* A/'(A). 

The following result follows from |HB821 Chapter 11]. 
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(2.7) 



Theorem 2.1. (1) The order of the Suzuki group is 

\Sz{q)\=q\q^ + l){q-l) (2.8) 

and q'^ + 1 = (q + t+ l){q - t + 1). 

(2) gcd{q — l,g^ + 1) = 1 and hence the three factors in ()2.8p are pairwise 
relatively prime. 

(3) For all ai, 6i, 02, &2 e and A e ; 

S{ai,bi)S{a2,b2) = S{ai + 02, 61 + 62 + 0102) (2.9) 

S{a,b)-^ = S{a,b + a'+^) (2.10) 

S{ai,bif^^^'''^^ = ^(ai, 61 + 0*102 + aifla) (2-11) 

5(a, 6)*^'(^) = 5(A*a, A'+^fo). (2.12) 

(4) There exists O C P'^(Fg) on which Sz(g) acis faithfully and doubly transi- 
tively, such that no nontrivial element of Sz(g) fixes more than 2 points. 
This set is 

O = {(1 : : : 0)} U {{ab + n{a)a'^ + Tr{b) : 6 : a : 1) | a, 6 G F,} . (2.13) 

(5) The stabiliser o/Poo = (1 : : : 0) G O is J="H and tf Pq ^ {0 : : : 1) 
then the stabiliser of (Poo, ^o) *s Ti.. 

(6) Z(.F)={5(0,5)|6eFJ. 

(7) J-Ti. is a Frobenius group with Frobenius kernel T . 

(8) Sz(g) has cyclic Hall subgroups Ui and U2 of orders q ±t + 1. These act 
fixed point freely on O and irreducibly on F^. For each non-trivial g € Ui, 
we have Ccig) ~ Ui. 

(9) The conjugates of J^, Ti, Ui and U2 partition Sz{q). 

(10) The proportion of elements of order q—1 in TH. is (j){q —l)/{q—l), where 
(j) is the Euler totient function. 



Remark 2.2 (Standard generators of Sz(<?)). As standard generators for Sz((7) 
we will use 

{5(l,0),M'(A),r}, 
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where A is a primitive element of F,, whose minimal polynomial is the defining 
polynomial of ¥q. Other sets are possible: in |Bra07j . the standard generators are 

{5(i,o)-i,M'(Ar,r}, 

and Magma uses 

{^(i,o)^^'(^)''',m'(a)1-2'",t}. 

From |HB82[ Chapter 11, Remark 3.12] we also immediately obtain the fol- 
lowing result. 

Theorem 2.3. A maximal subgroup of G — Sz(q) is conjugate to one of the 
following subgroups. 

(1) The point stabiliser TTi. 

(2) The normaliser 'Hq{'H) = T>2(q^i). 

(3) The normalisers Bi ~ ISSciUi) for i = 1,2. These satisfy Bi = {Ui,ti) 
where u*' = u'^ for every u G Ui and [Bi : Ui] ~ 4. 

(4) Sz(s) where q is a proper power of s. 

Proposition 2.4. Let G = Sz(q). 

(1) Distinct conjugates of J-, TL, Ui or U2 intersect trivially. 

(2) The subgroups of G of order are conjugate, and there are (7^ + 1 distinct 
conjugates. 

(3) The cyclic subgroups of G of order q — \ are conjugate, and there are 
q^{q^ + l)/2 distinct conjugates. 

(4) The cyclic subgroups of G of order q ±t + I are conjugate, and there are 
q'^ {q — l){q ^ t + 1) /4 distinct conjugates. 

Proof. (1) By Theorem l2.11 each conjugate of J- fixes exactly one point 

of O. If an clement g lies in two distinct conjugates it must fix two distinct 
points and hence lie in a conjugate of Ti.. But, by the partitioning, the 
conjugates of Ti and intersect trivially, so g — 1. 

li H ^ Ti^ for some x G G and g G Hn Ti,^, then g fixes more than 2 
points of O, so that 5 = 1. If Ui 7^ ?7f for some x G G and g G UiD Uf , 
then Caig) = {U., U Uf) ^ G, so that g = 1. 

(2) This is clear since these subgroups are Sylow 2-subgroups, and hence con- 
jugate to J-. Each subgroup fixes a point of O and hence there are \0\ 
distinct conjugates. 

(3) Because of the partitioning, an element of order q — 1 must lie in a con- 
jugate of 7i, which must be the cyclic subgroup that it generates. By 
Theorem [231 there are [G : ^gCH)] = 9^(9^ + l)/2 distinct conjugates. 

(4) Analogous to the previous case. 

□ 

Proposition 2.5. Let G = Sz(g) and let </> be the Euler totient function. 
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(1) The number of elements in G that fix at least one point of O is q^{q — 
l)(g2 + 5 + 2)/2. 

(2) The number of elements in G of order q~ \ is 4>{q — l)q'^{q'^ + l)/2. 

(3) The number of elements in G of order q ±t + 1 is (j){q ± i + l)(q ^ i + 
l)g2(q-l)/4. 

Proof. (1) By Theorem 12.11 if 5 G G fixes exactly one point, then g is 

in a conjugate of T , and if g fixes two points, then 5 is in a conjugate of 
Ti. Hence by ProDOsition l2.41 there are {\!F\ — l){q'^ + 1) elements that fix 
exactly one point. Similarly, there are q^{q^ + 1)(|'W| — l)/2 elements that 
fix exactly two points. 

Thus the number of elements that fix at least one point is 

1 + (1^1 - + 1) + q\q^ + im\ - l)/2 = + 1 + (2.14) 

(2) By Proposition l2.4[ an element of order q—1 must lie in a conjugate of 7i. 
Since distinct conjugates intersect trivially, the number of such elements 
is the number of generators of all cyclic subgroups of order q — 1. 

(3) Analogous to the previous case. 



□ 



Proposition 2.6. If g £ G ~ Sz{q) is uniformly random, then 



Pr[g fixes a point of O] = '^^ > ^ (2.17) 

and hence the expected number of random selections required to obtain an element 
of order q—1 org±t+l is O (log log q), and 0(l) to obtain an element that fixes 
a point. 



Proof. The first equality follows immediately from Theorem 12.11 and Propo- 
sition [131 The inequalities follow from [MSC961 Section II.8]. 

Clearly the number of selections required is geometrically distributed, where 
the success probabilities for each selection are given by the inequalities. Hence the 
expectations are as stated. □ 

Proposition 2.7. Let G = Sz(g). 

(1) For every g (zG, distinct conjugates ofCcig) intersect trivially. 

(2) IfH i^Gis cyclic of order q-l and g e G\^g{H) then \HgH\ = [q-lf. 

Proof. (1) By Theorem 12.11 we consider three cases. If g lies in a con- 

jugate F of J^, then Ccig) ^ F. If g ^ 1 lies in a conjugate H of H, then 
^Gig) — H and if g lies in a conjugate U of Ui or U2, then Coig) — U. 
In each case the result follows from Proposition [ 
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S{0,b)T- 



(2.18) 



(2) Since \H\ = q - 1 it is enough to show that H n = {1). This follows 
immediately from Proposition 12.41 

□ 

Proposition 2.8. Elements of odd order in Sz{q) that have the same trace are 
conjugate. 

Proof. From |Suz62( §17], the number of conjugacy classes of non-identity 
elements of odd order is g — 1, and all elements of even order have trace 0. Observe 
that 

1 
10 
10 6 
10 6 6* 

Since b can be any element of ¥q, so can Tr (5(0, 6)T), and this also implies that 
S{0, b)T has odd order when 6 7^ 0. Therefore there are q — I possible traces for 
non-identity elements of odd order, and elements with different trace must be non- 
conjugate, so all conjugacy classes must have different traces. □ 

Proposition 2.9. The proportion of elements of order 4 among the elements 
of trace is 1 — 1/q + l/q"^ — l/q'^. 

Proof. The elements of trace are those with orders 1,2,4, and apart from 
the identity these are the elements that fix precisely one point of O. From the proof 
of Proposition [mi there are g'* elements of trace 0. 

The elements of order 4 lie in a conjugate of and there are q^ — q elements 
in each conjugate. Hence from Proposition 12.41 there are q{q — l){q'^ + 1) elements 
of order 4. □ 

Proposition 2.10. Let P — {pi : p2 : ps : pa) G be uniformly random, 
where = {Rg \ R E O} for some g E GL(4, q). Then 

(1) 

Pr[K^0h-l,...,4] ^ (^1-^i^^ . (2.19) 
(2) If Q ~ (<7i : <Z2 : ?3 : ^4) G is fixed, then 

Prlplql-"' ^ qIpV-'] ^ 1 - ^^F^- (2-20) 

Proof. (1) By |HB821 Chapter 11, Lemma 3.4], O is an ovoid, so it 

intersects any (projective) line in P^(Fq) in at most 2 points. The condition 
Pt^O defines a projective plane V (=F^(¥q). If O^nV ^9 then it contains 
a point A, and there are q+1 lines in V that passes through A. Each one 
of these lines passes through at most one other point of O^, but each line 
contains q + 1 points of P, and hence at least q of those points are not in 
. Moreover, each pair of lines has only the point A in common. 
Now we have considered 1 + q{q + 1) distinct points of P, which are 
all points of P, and we have proved that at most q + 2 of those lie in . 
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(2) Clearly, = if and only if ^2^3"*'^ = 92^3+^ If P = P'g, where 

-Poo 7^ ^" e O and 5 = [gij], then Pi = gi,i(a*+2+6*+a6)+52,i^'+g3,ia+54,i 
for some a, 6 g F^. 

Introducing indeterminates x and j/ in place a and 6, it follows that 
the expression p2'J'3^^ ^ '72P3^^ is a polynomial / G Fq[a:, with degj.(/) ^ 
3i + 4 and degj,(/) ^ t + 2. For each a e Fg, the number of roots of /(a, y) 
is therefore at most i + 2, so the number of roots of / is at most q{t + 2). 

□ 

Proposition 2.11. If gi,g2 £ ^Ti- are uniformly random, then 

Pr[|[gi,g2]|=4] = l--^. (2.21) 

Proof. Let A ^ TH/ Z(J^). By Theorem [51,52] e T and has order 4 if 
and only if [51, 52] ^ Z(JF) <\!FH. It therefore suffices to find the proportion of pairs 
ki,k2 ^ A such that [fci, fc2] = 1- 

If /ci = 1 then k2 can be any element of A, which contributes q{q — 1) pairs. If 
I ^ ki & T I Z(JF) ^ Fg then C^(fci) = T j so we again obtain q{q — 1) pairs. 

Finally, if ki ^ T / Z(.F) then |Cyi(A:i)| = g — 1, so we obtain q{q — 2){q — 1) pairs. 
Thus we obtain q^{q — 1) pairs from a total of |A x yl| = q^[q — l)^ pairs, and the 
result follows. □ 

Proposition 2.12. Let G = Sz{q). If x,y e G are uniformly random, then 

Pr[(a;, y) = G] = I - 0{cj^{\og{q)) / q^) (2.22) 

Proof. By (|2.8p and Theorem l2.3[ the maximal subgroup M ^ G with small- 
est index is M = TH. Then [G : M] ^ q^ + 1 and since M = Ng(M), there are 
q^ + 1 conjugates of M. 

9^+1 . 

Pr[(x, y) ^ some 5 € G] ^ V Pr[(x, y) ^ M] = ^— (2.23) 

The probability that {x, y) lies in any maximal not conjugate to M must be less than 
1/(9^ + 1) because the other maximals have larger indices. There are 0(cro(log((3'))) 
number of conjugacy classes of maximal subgroups, and hence the probability that 
{x^y) lies in a maximal subgroup is 0((7o(log((7))/(7^) . □ 



2.1.2. Alternative definition. The way we have defined the Suzuki groups 
resembles the original definition, but it is not clear that the groups are exceptional 
groups of Lie type. This was first proved in |Ono62l IOno63| . A more common 
way to define the groups are as the fixed points of a certain automorphism of 
Sp(4, (7). This approach is followed in [WilOSj Chapter 4.10], and it provides a 
more straightforward method to deal with non-constructive recognition of Sz{q). 
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J = 



(2.24) 



Let Sp(4, q) denote the standard copy of the symplectic group, preserving the 
following symplectic form: 

"O l' 
10 
10 
10 

From |Wil05| Chapter 4.10], we know that the elements of Sz(g) are precisely 
the fixed points of an automorphism 5" of Sp(4, q). Computing \E'((?) for some g G 
Sp(4, q) amounts to taking a submatrix of the exterior square of 5 and then replacing 
each matrix entry x by a;^ . Moreover, ^' is defined on Sp(4, F) for F ^ Wq. A more 
detailed description of how to compute ^'(g) can be found in |Wil05| Chapter 4.10]. 

Lemma 2.13. Let G ^ Sp(4, g) have natural module V and assume that V 
is absolutely irreducible. Then G'' ^ Sz(g) for some h G GL(4, q) if and only if 

Proof. Assume G'' ^ Sz{q). Both G and Sz{q) preserve the form (|2.24p . and 
this form is unique up to a scalar multiple, since V is absolutely irreducible. There- 
fore hjK^ = A J for some A e F^. But if /i = V A^^ then {fih)J{fih)^ = J, so that 
e Sp(4, (7). Moreover, G'^ = G^'*, and hence we may assume that h £ Sp(4, g). 
Let X = h^{h^^) and observe that for each g £ G, ^'(g'') = g'^- It follows that 

= -^(hg^h-^) = *(.g) (2.25) 

sov^ y*. 

Conversely, assume that V = y*. Then there is some h £ GL(4, g) such that 
for each g £ G we have g'^ = ^'(5). As above, since both G and ^'(G) preserve the 
form p.24|) . we may assume that h £ Sp(4, q). 

Let K be the algebraic closure of Fg. The Steinberg-Lang Theorem (sec jSte77j ) 
asserts that there exists x £ Sp(4, K) such that h = x^^'i'{x). It follows that 

=5"" (2.26) 

so that G^ ^ < Sz{q). Thus G is conjugate in GL(4,i4r) to a subgroup 5* of Sz{q), 
and it follows from [CR061 Theorem 29.7], that G is conjugate to in GL(4, g). □ 

2.1.3. Tensor indecomposable representations. It follows from [LubOl] 
that over an algebraically closed field in defining characteristic, up to Galois twists, 
there is only one absolutely irreducible tensor indecomposable representation of 
Sz{q) : the natural representation. 

2.2. Small Ree groups 

The small Ree groups were first described in jReeGOl IReeGlc] . Their structure 
has been investigated in [War 63 1, IWar66|, ILN85|, IKle88| . A short survey is also 
given in [HB82t Chapter 11] . They should not be confused with the Big Ree groups, 
which are described in Section [ 



2.2. SMALL REE GROUPS 



33 



2.2.1. Definition and properties. We now define our standard copy of the 
Ree groups. The generators that we use are those described in [KLMOl] . Let 
q = 32m+i gome TO > and let t = 3™. For x e Wq and A G F^, define the 
matrices 
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and define the Ree group as 
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eF,,AeF,^) 



(2.27) 



(2.28) 



(2.29) 



(2.30) 



(2.31) 



(2.32) 
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Also, define the subgroups of upper triangular and diagonal matrices: 

U{q) = {a{x),(i(x),-f(x) \x^¥,) (2.33) 
H{q)^{h{\)\\e¥^^}=¥-^. (2.34) 

From |LN85| we then know that each element of U{q) can be expressed in a 
unique way as 

S{a,h,c) = a{a)l3{h)-i{c) (2.35) 

so that U[q) = {S{a,b,c) | a, 6, c e F,}, and it follows that \U{q)\ = q^. We also 
know that U{q) is a Sylow 3-subgroup of Ree((7), and direct calculations show that 

S'(ai,6i,ci)S'(a2, 62,02) = 

= S{ai + 02, 61 + 62 - aiaf,ci + C2 - a2bi + aio^^^ - a\a^), 
S{a, b, c)-i = S{-a, -{b + 0^*+^), -{c + ab- a^*+^)), (2.37) 
^(ai,6i,ci)^('^^'''^'^^) = 



(2.36) 



S{ai, bi — aiflj + a2af , ci + 0162 — 0261 + aid 



3t+l 



„ „3t+l 2 3t I „2^3t\ 



and 



S{a, b, c) 



h{\) _ 



3t-2^ 



Ai-3*5,A-ic). 



(2.38) 



(2.39) 



Remark 2.14 (Standard generators of Ree((;)). As standard generators for 
Ree(g) we will use 

{5(l,0,0),/i(A),T}, 

where A is a primitive element of F^, whose minimal polynomial is the defining 
polynomial of F^. 

The Ree groups preserve a symmetric bilinear form on F^, represented by the 
matrix 

"000 001" 

1 

1 

J=000 -1 000 (2.40) 

1 

1 

1 0_ 

From [War66| and |HB82|, Chapter 11] we immediately obtain 

Proposition 2.15. Let G = Ree(g). 

(1) \G\ = q^{q^ + l){q-l) where gcA{q^ + l,g- 1) = 2. 

(2) Conjugates of U (q) intersect trivially. 

(3) The centre Z([/(g)) = {5(0, 0,c) | c S i^J. 

(4) The derived group U{qy = {S'(0,6, c) | 6, c € Fg}, and its elements have 
order 3. 
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(5) The elements in U{q) \ U{q)' = {S{a, b, c) \ a 0} have order 9 and their 
cubes form Z{U{q)) \ (!) . 

(6) Ng(?7(9)) — U{q)H{q) and G acts doubly transitively on the right cosets 
of^G(U{q)), i.e. on a set of size q^ + 1. 

(7) U{q)H{q) is a Frobenius group with Frobenius kernel U{q). 

(8) The proportion of elements of order q-^X inU{q)H{q) is (j){q — I) / {q ~ 1) , 
where (f) is the Euler totient function. 

For our purposes, we want another set to act (equivalently) on. 

Proposition 2.16. There exists O C P*'(Fq) on which G = Ree(g) acts faith- 
fully and doubly transitively. This set is 

O ={(0 : : : : : : 1)}U 

{(1 : a* : -6* : {ahf -c':-b- a^'+i - (acf : -c - (5c)* ~ 0^*+^ - a'b^' : 

a'c - + a«+2 - - a^'+^b* - (a6c)*)} 

(2.41) 

Moreover, the stabiliser of Poo = (0:0:0:0:0:0:1) is U{q)H{q), the stabiliser 
o/Po = (1 : : : : : : 0) IS {U{q)H{q))^ and the stabiliser of (Poo,Po) is 
H[q). 

Proof. Notice that O \ {Poo} consists of the first rows of the elements of 
U{q)H{q). From Proposition l2 . 1 51 it foUows that G is the disjoint union of U{q)H{q) 
and U{q)H{q)TU{q)H{q). Define a map between the G-sets as {U{q)H{q))g ^ 
Poog- 

If g G U{q)H{q) then Poog = Poo and hence the stabiUser of Poo is U{q)H{q). If 
g ^ U{q)H{q) then g = xTy where x,y £ U{q)H{q). Hence Pooff = PaV G O since 
P^y is the first row of y. It foUows that the map defines an equivalence between the 
G-sets. □ 

Proposition 2.17. Let G Ree(g). 

(1) The stabiliser in G of any two distinct points of O is conjugate to H{q), 
and the stabiliser of any triple of points has order 2. 

(2) The number of elements in G that fix exactly one point is q^ — 1. 

(3) All involutions in G are conjugate in G. 

(4) An involution fixes q + 1 points. 

Proof. (1) Immediate from |HB82( Chapter 11, Theorem 13.2(d)]. 

(2) A stabihser of a point is conjugate to U{q)H{q), and there are lO] conju- 
gates. The elements fixing exactly one point are the non-trivial elements 

of U{q). Therefore the number of such elements is jOj ([[/(q)] — 1) = 
(g3 + l)(g3,i) = (g6 

(3) Immediate from |HB82[ Chapter 11, Theorem 13.2(e)]. 

(4) Each involution is conjugate to 

/i(-l) =diag(-l, 1,-1, 1,-1, 1,-1). 



2.2. SMALL REE GROUPS 



36 



Evidently, h{—l) fixes Poo since h{—l) G H{q) and if P = (pi : • • • : py) G 
O with pi 7^ 0, then P is fixed by h{—l) if and only if P2 ~ Pa — P& ~ 0. 
But then P is uniquely determined by pa, so there are q possible choices 
for P. Thus the number of points fixed by ^(—1) is g + 1. 

□ 

Proposition 2.18. Let G = Ree(g) with natural module V and let j e G be an 
involution. Then I^IcgQ) — Sj © Tj where diiaSj ~ 3 and dimTj = 4. Moreover, 
Sj is irreducible and j acts trivially on Sj . 

Proof. By Proposition l2.171 j is conjugate to h{—l) = diag (-1, 1, -1, 1, -1, 1, — 1) 
so it has two eigenspaces Sj and Tj for 1 and —1 respectively. Clearly dim Sj — 3 
and dimTj — 4, and it is sufficient to show that these are preserved by PSL(2, q), 
so that they are in fact submodules of Vj . 

Let V G Sj and g £ PSL(2, g). Then {vg)j = {vj)g — vg since g centralises j 
and j fixes v, which shows that vg e Sj, so this subspace is fixed by PSL(2,g). 
Similarly, Tj is also fixed. 

Let J : V X V ^ V he the bilinear form preserved by G. Observe that if a: € Sj , 
y & Vj then ^{x,y) — ^{xj,yj) = 7(2;, —y) = —j{x,y) ~ and hence Vj C Sj-. If 
7|s^. is degenerate then also Sj C Sj- so that Sj C which is impossible since 7 
is non-degenerate. Hence 715^ is non-degenerate and Sj is isomorphic to its dual. 

Now if Sj is reducible, it must split as a direct sum of two submodules of 
dimension 1 and 2. Since j acts trivially on Sj, it is in fact a module for PSL(2, q), 
but PSL(2, q) have no irreducible modules of dimension 2. Therefore Sj must be 
irreducible. □ 

Lemma 2.19. Let g G G ^ GL(d, P) with d odd and F any finite field, and 
assume that G preserves a non-degenerate bilinear form and that det(5) = 1. Then 
g has 1 as an eigenvalue. 

Proof. Let y = P"* be the natural module of G. Let f : V x V ^ F he a 
non-degenerate bilinear form preserved by G. Over P, the multiset of eigenvalues 
oi g is Xi, . . . , Xd. Let P^i , ■ • ■ , E\a be the corresponding eigenspaces (some of them 
might be equal). 

li V £ E\. and w e Ex^ then 

f{v,w) = f{vg,wg) = f{vXi,wXj) = XiXjf{v,w) 

so either XiXj — 1 or f(v,w) = 0. However, for a given i there must be some j 
such that XiXj — 1, otherwise f{v,w) — for every v S E\. and w E V, which is 
impossible since / is non-degenerate. 

Hence the eigenvalues can be arranged into pairs of inverse values. Since d is 
odd, there must be a fc such that Afe is left over. The above argument then implies 
that = 1, and finally 1 = det{g) — Xk- □ 

From [LN85j and [Kle88j we obtain 
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Proposition 2.20. A maximal subgroup of G — Ree((7) is conjugate to one of 
the following subgroups 

• Ng(J7((7)) = U{q)H{q), the point stabiliser . 

• CgU) — 0) X PSL(2,(7), the centraliser of an involution j. 

• Ng(Ao) ^ (C2 X C2 X ^o): Ce, where Aq ^ Ree((7) is cyclic of order (q + 
l)/4. 

• N(3(^i) = Ai: Cg; where Ai ^ Ree((7) is cyclic of order q + 1 — 3t. 

• Nc{A2) = A2: Cg, where A2 ^ Ree(g) is cyclic of order q + I + 3t. 

• Ree(s) where q is a proper power of s. 

Moreover, all maximal subgroups except the last are reducible. 
Proof. It is sufficient to prove the final statement. 

Clearly the point stabiliser is reducible, and the involution centraliser is re- 
ducible by Proposition l2.18l 

Let _ff be a normaliser of a cyclic subgroup and let x be a generator of the 
cyclic subgroup that is normalised. Since G ^ 80(7,5), by Lemma [2. 191 x has an 
eigenspace E for the eigenvalue 1, where V ^ E ^ {0}. Given v E E and he H, we 
see that {vh)x^ — vh so that vh is fixed by {x^) — {x). This implies that vh £ E 
and thus _E is a proper non-trivial 7?-invariant subspace, so H is reducible. □ 

Proposition 2.21. Let G = Ree(g). 

(1) All cyclic subgroups of G — Hee(q) of order q — I are conjugate to H{q) 
and hence each one is a stabiliser of two points of O. 

(2) All cyclic subgroups of order {q + l)/2 or q ± 3t + I are conjugate. 

(3) If G is a cyclic subgroup of order q±M + 1, then distinct conjugates of C 
intersect trivially. 

(4) If C is a cyclic subgroup of order (q + l)/2, C > G' = Aq and x € 
G\Ng(C"), thenGnG"" = (1). 

Proof. (1) Let G — (g) ^ G be cyclic of order q—1 and let p be an odd 

prime such that p \ q—1. Then there exists k & Z such that ^g'^^ = p. Since 
q^ + 1 = 2 (mod p), the cycle structure of g'' on O must be a number of 
p-cycles and 2 fixed points P and Q. Since G is doubly transitive there 
exists X e G such that Px — P^o and Qx = Pq. 

Now either g fixes P and Q or interchanges them, so 5^ e lSla{H{q)) = 
{II{q),T) = D2(q_i). Hence (5^) = II{q) since that is the unique cyclic 
subgroup of order g — 1 in {H(q), T). 

(2) This follows immediately from [LN85[ Lemma 2]. 

(3) Let G be such a cyclic subgroup. If G ^ G"^ for some x G G and g e GnG"^, 
then Caig) = (G U G^). But (G U G^) = G, so that g = 1. 

(4) Since (G U G^) — G, this is analogous to the previous case. 

□ 



Proposition 2.22. Let G = Ree(g) and let <j) be the Euler totient function. 
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(1) The centraliser of an involution j € G is isomorphic to (j) x PSL(2, q) 
and hence has order q{q^ — 1). 

(2) The number of involutions in G is q^{q^ — g + 1). 

(3) The number of elements in G of order q~ \ is (f>{q — l)q^(q^ + l)/2. 

(4) The number of elements in G of order (q + l)/2 is 4'{{q + l)/2)q^{q — 
l){q^-q + l)/&. 

(5) The number of elements in G of order (q ± 3t + 1) is (f>(q ± 3t + l)q^{q^ — 
l)((ZT3i + l)/6. 

(6) The number of elements in G of even order is q^ {7q^ - 23q'^ + 8q^ + 23q'^ - 
39(7 + 24)/24. 

(7) The number of elements in G that fix at least one point is q^{q^ — + 
3q2-5g + 2)/2 

Proof. (1) Immediate from |HB82[ Chapter 11]. 

(2) All involutions are conjugate, and the index in G of the involution cen- 
traliser is 

^^^^T^^fc^=.V-.+ l) (2.42) 

where we have used the fact that q'^ + 1 = {q + l){q'^ — q + 1) . 

(3) By Proposition 12.211 each cyclic subgroup of order 5 — 1 is a stabiliser of 
two points and is uniquely determined by the pair of points that it fixes. 
Hence the number of cyclic subgroups of order g — 1 is 

^ 5^^. (2.43) 

By Proposition 12. 171 the intersection of two distinct subgroups has order 
2, so the number of elements of order g — 1 is the number of generators of 
all these subgroups. 

(4) By Proposition 12. 21) the number of cyclic subgroups of order {q + l)/2 is 
[G : Ng{Ao)] — q'^{q — l){q'^ ^ Q + l)/6- Since distinct conjugates inter- 
sect trivially, the number of elements of order {q + l)/2 is the number of 
generators of these subgroups. 

(5) Analogous to the previous case. 

(6) By [LN85[ Lemma 2] , every element of even order lies in a cyclic subgroup 
of order q—1 or {q + l)/2. In each cyclic subgroup of order q—1 there is a 
unique involution and hence (q — 3)/2 non- involutions of even order, and 
similarly (q — 3)/4 in a cyclic subgroup of order {q + l)/2. By Proposition 
12.211 the total number of elements of even order is therefore 

(g - 3)(g3 + l)q3/4 + _ 3)(^ _ i)(^2 _ ^ ^ ^^^3/34 + ^2(^2 _ q + i) 

= q^ {7q^ - 23q^ + 8q^ + 2Sq^ - 39q + 24) /24 (2.44) 

(7) The only non-trivial elements of G that fix more than 2 points are involu- 
tions. Hence in each cyclic subgroup of order q—1 there are q~5 elements 
that fix exactly 2 points, so by Proposition 12. 171 the number of elements 
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that fix at least one point is 

, (g-3)(-73 + i)53 



2 

g2(g5_g4_^3g2_5g^2 



(2.45) 



□ 



Lemma 2.23. If g £ G = Ree(q) is uniformly random, then 

7(7^ — Qo — 24 

Pr[|5l e.en] = '^^^^^^'^ > 1/4 (2.49) 

Pr[g /ixes a point] = '^^'^Ij^^y^ ^ 1/2 (2.50) 

Proof. In each case, the first equality follows from Proposition 12.221 and 
Proposition 12.151 In the first case, the inequality follows from [MSC96| Section 
II. 8], and in the other cases the inequalities are clear since m > 0. □ 

Corollary 2.24. In G = Ree((7), the expected number of random selections 
required to obtain an element of order q — 1, q±3t + l or {q + l)/2 is O (log log g) , 
and 0(l) to obtain an element that fixes a point, or an element of even order. 

Proof. Clearly the number of selections is geometrically distributed, where 
the success probabilities for each selection are given by Lemma 12.231 Hence the 
expectations are as stated. □ 

Proposition 2.25. Elements in Ree(g) of order prime to 3 with the same trace 
are conjugate. 

Proof. From [War66| . the number of conjugacy classes of non-identity ele- 
ments of order prime to 3 is q - 1. Observe that for A G F^, Tr(5(0, 0, l)Th{X)) = 
A* - 1 and \S{Q, 0, l)T/i(A)| is prime to 3 if also A ^ -1. 

Moreover, h{—l) has order 2 and trace —1 so there are q—1 possible traces for 
non-identity elements of order prime to 3, and elements with different trace must 
be non-conjugate. Thus all conjugacy classes must have different traces. □ 

Proposition 2.26. Ifi,j € Ree{q) are uniformly random involutions, then 
Pr[|ij| odd\ > c for some constant c > 0. 

Proof. Follows immediately from |WP06[ Theorem 13]. □ 

Proposition 2.27. Let G = PSL(2,5). Ifx,y e G are uniformly random, then 

Pr[(x, y)=G] = l- 0{aoilog{q))/q) (2.51) 
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Proof. The maximal subgroup M ^ G consisting of the upper triangular 
matrices modulo scalars has index q + 1, and all subgroups isomorphic to M are 
conjugate. Since M = Ng(M), there are q+1 conjugates of M. 

9+1 . 

Pr[(a;, y) s$ M» some 5 G G] s$ ^ Pr[(2;, y) < M] = (2.52) 

i=i 9+1 

The other maximal subgroups have index strictly greater than q + I, so the proba- 
bility that (x, y) lies in any maximal not conjugate to M must be less than 
The number of conjugacy classes of maximal subgroups is O(f7o(log((7))) , and hence 
the probability that {x,y) lies in a maximal subgroup is O(cro (log (9) D 

Proposition 2.28. Let P ^ {pi : ■ ■ ■ : pj) e be uniformly random, where 
03 :^{Rg\Re O} for some g e GL(7, q). Then 

(1) 

Pr[p3 ^0]^1- (2.53) 
q'^ + 1 

(2) If Q — (qi : ■ ■ ■ : qj) £ is given, then 

Prb392^'+^ ^ q^P^'] ^ 1 - ' + '3^^ + (2.54) 

q-^ + 1 

Proof. If P = P'g, where Poo 7^ P' G O and g — [gi.^j], then pi — gi,i + 
a'g2,^ - b'g3,^ + ((a6)* - c*)54,» + {-b - a^'+' - {acY)g5,^ + (-c - {bcY - a^'+^ - 
aV*)96,^ + (a*c - + a^*+^ - c^* - a^^+'^b* - {abcY)gT^, for some a,b,c£ F,. 

(1) By introducing indeterminates a;, y and z in place of a, 6 and c, it follows 
that Pa is a polynomial / G Fg[a;, y, z] with deg2,(/) ^ 4i + 2, degy(/) ^ 2i 
and deg^(/) ^ t. For each (a, 6) G F^, the number of roots of /(a, 5, z) is 
therefore at most t, so the number of roots of / is at most q^iit + 1). 

(2) Similarly, by introducing indeterminates x, y and z in place of a, b and c, it 
follows that the expression ^392*^^ — 93^2'^^ ^ polynomial / G Fq[x, y, z] 
with deg^(/) m + 6, degy(/) sC 5t + 1 and degj/) 3t + 1. For each 
(a, h) G F^, the number of roots of /(a, 6, z) is therefore at most 3^+1, so 
the number of roots of / is at most (?^(3t + 1). 

□ 

Proposition 2.29. If gi,g2 G U{q)H{q) are uniformly random and indepen- 
dent, then 

Pr[|[<7i,ff2]|=9] = l-^ (2.55) 

Proof. By Proposition I2.15| [31,(72] € U{q) and has order 9 if and only if 
[91^92] 4- ^(9)' ^ U{q)H{q). It is therefore sufficient to find the proportion of (im- 
ordered) pairs ki,k2 G U{q)II{q)/U{q)' = A such that [ki,k2] — 1. 

If fci = 1 then ^2 can be any element of A, which gives q{q — 1) pairs. If 
1 7^ fci G U{q)/U{q)' ^ ¥g then €^(^1) = U{q)/U{q)', so we again obtain q{q - 1) 
pairs. Finally, if ki ^ U{q) then |Ca(^i)| = g— 1 so we obtain q{q — 2)(g— 1) pairs. 
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Thus we obtain q^{q — 1) pairs from a total of |A x q^{q — 1)^ pairs, and the 
result follows. □ 

2.2.2. Alternative definition. The definition of Ree(g) that we have given 
is the one that best suits most our purposes. However, to deal with non-constructive 
recognition, we need to mention the more common definition of Ree((7). 

Following [Wil05( Chapter 4] and [Wil06j . the exceptional group G2[q) is 
constructed by considering the Cayley algebra O (the octonion algebra), which has 
dimension 8, and defining G2{q) to be the automorphism group of O. Thus each 
element of G2{q) fixes the identity and preserves the algebra multiplication, and it 
follows that it is isomorphic to a subgroup of SO (7, q). 

Furthermore, when q is an odd power of 3, the group G2{q) has a certain au- 
tomorphism ^, sometimes called the exceptional outer automorphism, whose set of 
fixed points form a group, and this is defined to be the Ree group Ree((7) = ^G2{q)- 
A more detailed description of how to compute ^'(i?) can be found in |Wil06] . 

2.2.3. Tensor indecomposable representations. It follows from [LiibOl] 
that over an algebraically closed field in defining characteristic, up to Galois twists, 
there are precisely two absolutely irreducible tensor indecomposable representations 
of Ree(g): the natural representation and a representation of dimension 27. Let V 
be the natural module of Ree(q), of dimension 7. The symmetric square S'^{V) has 
dimension 28, and is a direct sum of two submodules of dimensions 1 and 27. The 
1-dimensional submodule arises because Ree(g) preserves a quadratic form. 

2.3. Big Ree groups 

The Big Ree groups were first described in [ReeGla], IRee61b] , and are covered 
in |Wil05[ Chapter 4]. The maximal subgroups are given in [MalQlj . and repre- 
sentatives of the conjugacy classes are given in (Shi74] and [Shi75| . An elementary 
construction, suitable for our purposes, is described in |Wil06j . 

2.3.1. Definition and properties. We take the definition of the standard 
copy of ^Fiiq) from |Wil06| . 

The exceptional group F4 (q) is constructed by considering the exceptional Jor- 
dan algebra (the Albert algebra), which has dimension 27, and defining F4(g) to be 
its automorphism group. Thus each element of F4{q) fixes the identity and preserves 
the algebra multiplication, and one can show that it is a subgroup of 0~(26, q). 

Furthermore, when q is an odd power of 2, the group ^^{q) has a certain 
automorphism 'J whose set of fixed points form a group, and this is defined to be 
the Big Ree group ^F4(g). A more detailed description of how to compute ^'(.g) can 
be found in |Wil06| . 

Let t = 2"+i = y/2q and let V ^¥f. From |Wil06| we immediately obtain: 
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Proposition 2.30. Let G = '^'P^iq) and g e G with \g\ = g - 1. Then g is 
conjugate in G to an element of the form 

<,{a, b) = diag(a, 6, a^~^b'-^ ,ah^-\ a^b~^ M''a^~\ ab-^,a'^\ 1, a-^b\ 
b^-*a'-', a'-'b'-\ ab-\ 1, a^-\ ba-\a'~%'-\b^-\ a*-^b-\ 

(2.56) 

for some a,b Cz ¥^ . 



Let {ei, . . . , 626} be the standard basis of V. Following |Wil06| . we then define 
the following matrices as permutations on this basis: 



g =(15, 12)(14, 13)(2, 5)(7, 8)(19, 20)(22, 25)(3, 4)(6, 9)(18, 21)(24, 23) (2.57) 
(11, 16)(1, 2)(8, 13)(14, 19)(25, 26)(7, 10) 
(5, 12)(15, 22)(17, 20)(4, 6)(9, 18)(21, 23) 



We also define linear transformations z and v, where z fixes for i — I, 
and otherwise acts as follows: 



(2.58) 
..,15 



ei6 
ei9 

622 
625 



61 + 616 
63 + 619 

62 + 66 + 622 
65 + 69 + 625 



617 l~> 61 + 617 

620 1-^ 64 + 620 

623 1-^ 63 + 67 + 623 

626 1-^ 61 + 610 + 611 + 626 



6I8 62 + 618 
621 65 + 621 
624 1-^ 64 + 68 + 624 



Furthermore, we define a block-diagonal matrix C as follows: 





1 








0" 






1 


1 












1 


1 


1 









1 





1 


1 




1— ' 














0" 





1 

















1 


1 











1 


1 


1 


1 








1 


1 





1 


1 











1 








1 


C3 




1 









(2.59) 
(2.60) 
(2.61) 
(2.62) 



(2.63) 



C2= : : : : I I (2.64) 



(2.65) 

and then C has diagonal blocks Ca, Ci, Ci, C3, C2, Ca, Ci, Ci, C3- 

Finally, v fixes 6; for i E {1, 3, 4, 5, 8, 9, 14, 15, 21, 24, 25} and otherwise acts as 
follows: 



62 61 + 62 
610 1^ 65 + 610 



66 1-^ 64 + eg 
611 69 + 611 



67 '-^ 65 + 67 
612 1-^ 65 + 67 + 610 + 612 



(2.66) 
(2.67) 
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6131-^68 + 613 ei6i-^69 + ei6 617 1-^ 615 + ei7 (2.68) 

618 i-> 69 + en + ei6 + 618 6191-^614 + 619 6201-^615+620 (2.69) 

622 l-> 615 + 617 + 620 + 622 623 ^ 621 + 623 626 625 + 626 (2.70) 

From [Wil06j we then immediately obtain: 

Theorem 2.31. Let X be a primitive element of¥q. The elements g, k, z, v 
and C lie in ^F4(g), and if G — A), gi^Oy then G = ^F4(g). 

Proposition 2.32. Let G = "^F^iq) and g G G with \g\ = {q — !)('? + i + !)• 
Then gi+*+^ is conjugate in G to ■^(1,6), which we write as 

h{X, fi) — diag(l, A, /iA^^, A/i^^, A^^, A, /iA^^, A/i^^, A^^, 1, 1, \^ , ^X^^ , 

/.t"\ 1, 1, A, ^A"\ A^"\ A"\ A, AfA"\ AAi"\ A"\ 1) 

(2.71) 

where A = 5 G and fi = X* . 

Proof. Using the notation of [Shi75[ Page 10], we see that with respect to 
a suitable basis, g lies in T{A) = Cg_i x Cq+t+i and that will have the 

form (e, e^^"^, 1, 1) for some e G F^. Hence it will lie in one of the factors of 
T(l)-C^_i. □ 

Proposition 2.33. If g e G ~ ^F4(gf) is uniformly random, then 

p,[i,i ^ (, - 1)(, + < + > ^ 

and hence the expected number of random selections required to obtain an element 
of order {q — l){q + t + 1) is 0(loglog(7) . 

Proof. Using the notation of |Shi75[ Page 10], we see that such elements lie 
in a conjugate of T(4) ~ Cq_i x Cq+t+i- The proportion of the elements in T(4) is 
therefore (j){q - l)(t>{q + t + l)/{{q - l){q + t + 1)). 

From |Shi75|, Table IV] we see that the elements in T{4) are of types tg and 
tio and that the total number of such elements in G is 

iq + t)\G\ {q~2)iq + t)\G\ 

V(q + t + l){q - l){q^ + 1) 8{q - l){q + t + 1) ' 

The proportion in G of the elements of the required order is therefore at least 

(^(g - l)</.(g + t + 1) / {q + t) , iq-2){q + t) 



{q-l)iq + t + l) \Aq^q + t+^)iq^^){q^ + l) 8{q - l)iq + t + I) , 
and the expression in parentheses is minimised when m = I. The result now follows 
from IMSC961 Section II. 8]. □ 

By definition we have the inclusions ^F4{q) < F4{q) < 0^(26, q) < Sp(26, q) < 
SL(26, g) < GL{26,q), so ^F4{q) preserves a quadratic form Q* with associated 
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bilinear form (3* . It follows from |Wil06) that 

[O i^{ll,16} 

Proposition 2.34. In G ^ "^^iiq), th ere are two conjugacy classes of involu- 
tions. The rank of an involution is the number of 2-blocks in the Jordan form. 



Name 


Centraliser 


Maximal parabolic 


Rank 


Representative 


2A 


[giO]:Sz(g) 


[gi"]:(Sz(q) X C,_i) 


10 


Q 


2B 


[g9]:PSL(2,g) 


[g"]:(PSL(2,g)xC,_i) 


12 


K 



Moreover, in the 2 A case the centre of the centraliser has order q. The cyclic 
group Cq-i acts fixed-point freely on [g^"]. 

Let i,j e G be involutions. If i and j are conjugate, then \ij\ is odd with 
probability 1 — 0(1/(7). If i and j are not conjugate, then \ij\ is even. 

Proof. The structure of the centralisers can be found in [MalQlj . The state- 
ment about i and j follows immediately from |WP06[ Theorem 13]. □ 

Corollary 2.35 (The dihedral trick). There exists a Las Vegas algorithm that, 
given (X) ^ GL(26,(7) such that (X) = ^F4(g) and given conjugate involutions 
a,b E (X) , finds c G (X) such that = b. If a, b are given as SLPs of length 0(n) , 
then c will be found as an SLP of length O (n) . The algorithm has expected time 
complexity O(^) field operations. 

Proof. Follows from Proposition 12. 341 and Theorem 11.91 

□ 

Proposition 2.36. Let X be a primitive element ofWg. A maximal parabolic of 
type 2A is conjugate to (C, z''^'', (3, z^, <r(l, A), i;(A, 1)), which consists of lower block- 
triangular matrices. A maximal parabolic of type 2B is conjugate to 

(?(i, A), ^(A, i),K, V, c, r , r ^ r^", v^\v^-^) . 

Proof. Follows immediately from |Wil06] . □ 

Conjecture 2.37. Let j e G — ^F4(g) be an involution of class 2A and let 
H ^ Coij) satisfy H > Z(CG(j)) and H ^ S where S ^ Sz{q). 

(1) Let g E H be uniformly random such that \g\ — 21. Then G Z(Cg(j)) 
with probability 1 — ©(l/q). 

(2) If H = Ga{j) and g E H is uniformly random such that \g\ = Al, then 
with high probability g^ G 02(-ff) and g^' G Z(iJ). 

Conjecture 2.38. Let ji,j2 e G = '^F4{q) be involutions of class 2A such 
that j2 G Z(Cg'(ji))- Then the proportion of h E G such that j'^ — j2, \h\ = q — 1 
and {Cciji), h) < G is high. 



(2.73) 
(2.74) 



2.3. BIG REE GROUPS 



45 



Conjecture 2.39. Let j e G = ^F4((j) be an involution. Let H ^ CgO') 
satisfy H ^ Z(Cg(j)) and H ^ S where S = Sz{q). Let M be the natural module 
ofG. 



Class of j 


Constituents and multiplicities of M\h 


2A 


(^4,4), (1,6), (5f ,1) 


2B 


(i?2®i?f ,2), {Rf,2), (i?f ,4), (1,4) 



Where is the natural module for Sz{q), i?2 is the natural module for SL(2, q) 
and ^ i, k ^ 2m. 

In the 2 A case, M\h has submodules of dimensions 

26, 25, 21, 20, 17, 16, 15, 11, 10, 9, 6, 5, 1, 0. 

It has q + 1 submodules of dimensions 10 and 16, and the others are unique. 

In the 2B case, M\h has submodules of every dimension 0,...,26. It has 2 
submodules of dimensions 7, 9, 10, 13, 16, 17, 19, q + \ submodules of dimensions 11 
and 15 and q + 2 submodules of dimensions 12 and 14. All the others are unique. 

Conjecture 2.40. Let j e G ^ '^^^{q) be an involution of class 2 A, let P = 
02(Cg(j)) and let H be the corresponding maximal subgroup. 

(1) P is nilpotent of class 2 and has exponent 4. 

(2) P has a subnormal series 

P ^ Po> Pl> P2> P3> P4 = 1 

where \Po/Pi\ = IP2/P3I = q\ = = Q- 

(3) The series induces a filtration of H, so Pi/Pi+i are ¥qH -modules, for 
i = 0, ...,3. 

(4) <i>(Po) = Pq = P2, Pi = P3, P2 is elementary abelian and Z(CG(j)) = 
Z(P) =F3. 

(5) P has exponent-2 central series 

P ^ P^t>P^^P^ = \ 

(6) Pre-images of non-identity elements of Pq/Pi have order 4 and their 
squares, which lie in P2 and have non-trivial images in P2/P3, are in- 
volutions of class 2B. 

(7) Pre-images of non-identity elements of P1/P2 have order 4 and their 
squares, which lie in P3 and have non-trivial images in P3/P4, are in- 
volutions of class 2A. 

(8) As H -modules, P/P2 is not isomorphic to P2. 

By |Mal91l . G has a maximal subgroup S ^ Sz(g) IC2, so from Section [^TT] we 
know that S contains elements of order 4(g — 1). 

Conjecture 2.41. Let H ^ G = '^Fi{q) be such that H = Sz{q) x Sz(g) and 
let Sz(q) = S ^ H be one of its direct factors. Let M be the module of S and let S4 
be the natural module of S . 
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(1) M ^ + ^4) © {l.sf.l). 

(2) M has composition factors with multiplicities: (6*4, 4), (1, 6), (54" ,1). 

Conjecture 2.42. Let S ^ G ^ ^F4{q) be such that S = Sz{q) x Sz{q) and let 
M be the module of G. 

(1) The elements of S of order A(q — 1) have 1 as an eigenvalue of multiplicity 
6. The proportion of these elements in G (taken over every S) is l/{2q). 

(2) M\s = M16 ffi ^^10 where dimMi = i. 

(3) M16 is absolutely irreducible and Miq = 6*1 (g) 5*2. Mio has shape 1.(5*3 © 
S^).!. The Si are natural Sz{q) -modules. 

(4) M\s has endomorphism ring End(A/|5) = and automorphism group 
Aut(Af|s)-C2xC,_ixC,_i. 

Proposition 2.43. Let S ^ G = ^F4{q) such that S = Sz{q) x Sz{q) and let 
M be the module ofG. Then Aut(A/|s) n 0^(26, ^ C2. 

Proof. The subgroup of 0^(26,9) that preserves the direct sum decomposi- 
tion of M\s has shape 0+(16, 5) x O^{10,q) (the 16-dimensional part is of plus 
type since Mm is a tensor product of natural Suzuki modules, and these preserve 
orthogonal forms of plus type). This implies that 

Aut(Af Is) n 0^(26, g) = (Aut(Afi6) n 0+(16,g)) x (Aut(Ai"io) n O-(10, g)) 

Since Afig is absolutely irreducible, Aut(Afi6) consists of scalars only, but there are 
no scalars in 0'^(16, q). Hence it suffices to show that Aut(Afio) n 0^(10, q) = C2. 

With respect to a suitable basis, an endomorphism of Afio has the form e(a, (3) = 
a/10 + 0Eio^i. It preserves the bilinear form /3* restricted to Mio if a = 1, and it 
preserves the quadratic form Q* restricted to Miq if e(l, f3) is a transvection. This 
implies that only 2 values of (3 are possible. □ 

Proposition 2.44. Let X be a primitive element of¥q. The subgroup 

(z,e,e^^(l,A),^(A,l)) 

is isomorphic to Sz(q);C2. It contains S — (z''^", A)) and h — kqk., where S = 

Sz{q) and [S'^jS] = (1). The subgroup \),<;{X,1), k, g, gng) is isomorphic to 

Sp(4,g):C2. 

Proof. Follows immediately from [Wil06| . □ 

Conjecture 2.45. Let a e G = ^F4(g) be such that \a\ ^ q — 1 and a is 
conjugate to some /i(A, fi) with A* = /i G . The proportion of b (z G such that the 
elements in (a) b with 1 as an eigenvalue of multiplicity 6 also have even order and 
power up to an involution of class 2A, is bounded below by a constant C2 > 0. 

Conjecture 2.46. The proportion of elements in G that have 1 as an eigen- 
value of multiplicity 6 is C3 G 0(l/q). 
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Conjecture 2.47. Let a e G ^ ^F4(g) be such that \a\ = q - I and a is 
conjugate to some /i(A,/x) with A* = G . Then Na{{a)) = ^2{q-i) ^ Sz((7) and 
there exists an absolute constant c such that for every b G G\NQ{{a)), the number 
of g £ (a) b that have 1 as an eigenvalue of multiplicity at least 6 is bounded above 
by c. 

Proposition 2.48. Let G — ^F4(g) with natural module M and let H < G 
be a maximal subgroup. Then either M\h is reducible or H ■^F4(s) where q is a 
proper power of s . 

Proof. Follows from |Mal91j . □ 

2.3.2. Tensor indecomposable representations. It follows from [LiibOlj 
that over an algebraically closed field in defining characteristic, up to Galois twists, 
there are precisely three absolutely irreducible tensor indecomposable representa- 
tions of ^F4((7): 

(1) the natural representation V of dimension 26, 

(2) a submodule oi S oiV ®V of dimension 246, 

(3) a submodule oiV ® S oi dimension 4096 



CHAPTER 3 



Constructive recognition and membership testing 

Here we will present the algorithms for constructive recognition and construc- 
tive membership testing. The methods we use are specialised to each family of 
exceptional groups, so we treat each family separately. When the methods are sim- 
ilar between the families, we present a complete account for each family, in order 
to make each section self-contained. In the cases where we have a non-constructive 
recognition algorithm that improves on [BKPS02] . we will also present it here. 

Recall the various cases of constructive recognition of matrix groups, given in 
Section 11.2.71 For each group, we will deal with some, but not always all, of the 
cases that arise. 

We first give an overview of the various methods. From Chapter [2] we know 
that both the Suzuki groups and the small Ree groups act doubly transitively on 
+ 1 and q"^ + 1 projective points, respectively (the fields of size q have different 
characteristics), and the idea of how to deal with these groups is to think of them 
as permutation groups. In fact we proceed similarly as in [CLGO06] for PSL(2, q), 
which acts doubly transitively on q -|- 1 projective points. The essential problem in 
all these cases is to find an efficient algorithm that finds an element of the group 
that maps one projective point to another. 

In PSL(2, q) the algorithm proceeds by finding a random element of order q—l 
and considering a random coset of the subgroup generated by this element. Since 
the coset is exponentially large, we cannot process every element, and the idea 
is instead to construct the required element by solving equations. We therefore 
consider a matrix whose entries are indeterminates. In this way we reduce the coset 
search problem to two other problems from computational algebra: finding roots of 
quadratic equations over a finite field, and the famous discrete logarithm problem. 

In the Suzuki groups, the number of points is + 1 instead of g + 1, and this 
requires us to consider double cosets of elements of order q—l, instead of cosets. 
The problem is again reduced to finding roots of univariate polynomials, in this 
case of degree at most 60, as well as to the discrete logarithm problem. 

The small Ree groups are dealt with slightly differently, since we can easily 
find involutions by random search and then use the Bray algorithm to find the cen- 
traliser of an involution. Then the module of the group restricted to the centraliser 
decomposes, and this is used to find an element that maps one projective point to 
another. 
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The Big Ree groups cannot be considered as permutation groups in the same 
way, so the essential problem in this case is to find an involution expressed as a 
product of the given generators. Again the idea is to find a cyclic subgroup of order 
q — 1 and search for elements of even order in random cosets of this subgroup. The 
underlying observation is that the elements of even order are characterised by having 
1 as an eigenvalue with a certain multiplicity. Therefore we can again consider 
matrices whose entries are indeterminates and construct the required element of 
even order. 

3.1. Suzuki groups 

Here we will use the notation from Section lTT] We will refer to Conjectures I3.4|, 
13. 181 1X1^13.211 and 13. 241 simultaneouslv as the Suzuki Conjectures. We now give an 
overview of the algorithm for constructive recognition and constructive membership 
testing. It will be formally proved as Theorem 13.261 

(1) Given a group G = Sz(q), satisfying the assumptions in Section [1.2.71 we 
know from Section 12.1.31 that the module of G is isomorphic to a tensor 
product of twisted copies of the natural module of G. Hence we first tensor 
decompose this module. This is described in Section [3.1.51 

(2) The resulting groups in dimension 4 are conjugates of the standard copy, 
so we find a conjugating element. This is described in Section [3. 1.41 

(3) Finally we are in Sz{q). Now we can perform preprocessing for constructive 
membership testing and other problems we want to solve. This is described 
in Section [3.1.31 

Given a discrete logarithm oracle, the whole process has time complexity slightly 
worse than 0((i^ + \og{q)) field operations, assuming that G is given by a bounded 
number of generators. 

3.1.1. Recognition. We now discuss how to non-constructively recognise Sz(g). 
We are given a group (X) ^ GL(4, q) and we want to decide whether or not 
(X) = Sz{q), the group defined in 

To do this, it suffices to determine if X C Sz{q) and if X does not generate a 
proper subgroup, i.e. if X is not contained in a maximal subgroup. To determine if 
5 G X is in Sz(q), first determine if g preserves the symplectic form of Sp(4, q) and 
then determine if g is a fixed point of the automorphism ^! of Sp(4, q), mentioned 
in Section \TT\ 

The recognition algorithm relies on the following result. 

Lemma 3.1. Let H ~ (X) < Sz(g) = G, where X — {xi,...,x„}, let C = 
{[xi, Xj] \ l^i<j^n} and let M be the natural module of H . Then H = G if 
and only if the following hold: 

(1) M is an absolutely irreducible H -module. 

(2) H cannot be written over a proper subfield. 

(3) G 7^ {1} and for every c G G\ {1} there exists x £ X such that [c, c^] ^ 1. 
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Proof. By Theorem 12. 3[ the maximal subgroups of G that do satisfy the first 
two conditions are Ng(H), Bi and 62- For each, the derived group is contained in 
the normahsed cycUc group, so all these maximal subgroups are metabelian. If H 
is contained in one of them and H is not abelian, then C 7^ {1}, but [c, c^] = 1 for 
every c e C and x X since the second derived group of H is trivial. Hence the 
last condition is not satisfied. 

Conversely, assume that H ^ G. Then clearly, the first two conditions are 
satisfied, and G ^ {1}. Assume that the last condition is false, so for some c G C\{1} 
we have that [c, c^] = 1 for every x £ X. This implies that G Cg(c) n Cg(c)^ ^ , 
and it follows from Proposition [2J] that Cg(c) = Cg(c)"="\ Thus Cg(c) = Cg(c)s 
for all 5 e G, so Cg(c) <i G, but G is simple and we have a contradiction. □ 

Theorem 3.2. There exists a Las Vegas algorithm that, given (X) ^ GL(4, (7), 
decides whether or not {X) = Sz{q). It has expected time complexity 0(\X\^ + 
cro(log(g))(|X| +log(g))) field operations. 

Proof. The algorithm proceeds as follows. 

(1) Determine if every a; € X is in Sz(q), and return false if not. 

(2) Determine if {X) is absolutely irreducible, and return false if not. 

(3) Determine if {X) can be written over a smaller field. If so, return false. 

(4) Using the notation of Lemma 13. 1[ try to find c e C such that c 7^ 1 . 
Return false if it cannot be found. 

(5) If such c can be found, and if [c, c^] 7^ 1 for some x G X, then return true, 
else return false. 

From the discussion at the beginning of this section, the first step is easily done 
using 0(|X|) field operations. The MeatAxe can be used to determine if the natural 
module is absolutely irreducible; the algorithm described in Section fl. 2. 10. 2l can be 
used to determine if (X) can be written over a smaller field. 

The rest of the algorithm is a straightforward application of the last condition 
in Lemma 13. 1[ except that it is sufficient to use the condition for one non-trivial 
commutator c. By Lemma [3.11 if [c, c^] 7^ 1 then {X) = Sz(g); but if [c, c^] = 1, 
then C(x)(c) <i {X) and we cannot have Sz{q). 

It follows from Section 11.2.101 that the expected time complexity of the al- 
gorithm is as stated. Since the MeatAxe is Las Vegas, this algorithm is also Las 
Vegas. □ 

We are also interested in determining if a given group is a conjugate of Sz(g), 
without necessarily finding a conjugating element. We consider the subgroups of 
Sp(4, (7) and rule out all except those isomorphic to Sz(g). This relies on the fact 
that, up to Galois automorphisms, Sz{q) has only one equivalence class of faithful 
representations in GL(4, q), so if we can show that G = Sz{q) then G is a conjugate 
of Sz{g). 
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Theorem 3.3. There exists a Las Vegas algorithm that, given {X) ^ GL(4, g), 
decides whether or not there exists h G GL(4, g) such that (X)''' = Sz{q). The 
algorithm has expected time complexity 0(|X|^ + ao{log{q)){\X\ + log(g))) field 
operations. 

Proof. Let G — {X). The algorithm proceeds as foUows. 

(1) Determine if G is absolutely irreducible, and return false if not. 

(2) Determine if G preserves a non-degenerate symplectic form M . If so we 
conclude that G is a subgroup of a conjugate of Sp(4, q), and if not then 
return false. Since G is absolutely irreducible, the form is unique up to 
a scalar multiple. 

(3) Conjugate G so that it preserves the form J. This amounts to finding a 
symplectic basis, i.e. finding an invertible matrix X such that XJX^ = 
M, which is easily done. Then G-^ preserves the form J and thus G^ ^ 
Sp(4, q) so that we can apply 

(4) Determine ii V = , where V is the natural module for G and is the 
automorphism from Lemma l2.13l If so we conclude that G is a subgroup 
of some conjugate of Sz(g), and if not then return false. 

(5) Determine if G is a proper subgroup of Sz(q), i.e. if it is contained in a 
maximal subgroup. This can be done using Lemma l3.1l If so, then return 
false, else return true. 

From the descriptions in Section ri.2.10.1[ the algorithms for finding a preserved 
form and for module isomorphism testing are Las Vegas, with the same expected 
time complexity as the MeatAxe. Hence we obtain a Las Vegas algorithm, with the 
same expected time complexity as the algorithm from Theorem 13. 21 □ 

3.1.2. Finding an element of a stabiliser. In this section the matrix degree 
is constant, so we set ^ = ^^(4). In constructive membership testing for Sz(q) the 
essential problem is to find an element of the stabiliser of a given point P E O, 
expressed as an SLP in our given generators X oi G ^ Sz{q). The idea is to map P 
to Q 7^ -P by a random gi G G, and then compute 92 G G such that Pg2 = Q, so 
that gig2^ £ Gp. 

Thus the problem is to find an element that maps P to Q, and the idea is to 
search for it in double cosets of cyclic subgroups of order q — 1. We first give an 
overview of the method. 

Begin by selecting random a,h £ G such that a has pseudo-order q — 1, and 
consider the equation 

Pa^ha' = Q (3.1) 

in the two indeterminates i, j. If we can solve this equation for i and j, thus obtaining 
integers fc, I such that 1 ^ fc, Z ^ q — 1 and Pa^ha^ = Q, then we have an element 
that maps P to Q. 

Since a has order dividing q ^ 1, by Proposition [231 o is conjugate to a matrix 
Af'(A) for some A G F^. This implies that we can diagonalise a and obtain a 
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matrix x G GL(4, q) such that Af'(A)^ = a. It foUows that if we define P' = Px~^, 
Q' = Qx~^ and g = ^ then (|3.ip is equivalent to 

P'M'{XygM'{Xy = Q'. (3.2) 

Now change indeterminates to a and (3 by letting a = V and (3 = A' , so that 
we obtain the following equation: 

P'M'{a)gM'{f3) = Q'. (3.3) 

This determines four equations in a and f3, and in Section 13.1.2.11 we will de- 
scribe how to find solutions for them. A solution (7, 6) E ¥^ x determines 
M'{-f),M'{6) e and hence also c.dEH = W. 

If |a| = q — 1 then (a) = H , so that there exist integers k and I as above with 
a'' — c and a'^ = d. These integers can be found by computing discrete logarithms, 
since we also have A' = 7 and A*^ — 6. Hence we obtain a solution to (|3.ip from 
the solution to (j3.3p . If |a| is a proper divisor of g — 1, then it might happen that 
c ^ (a) or d ^ (a), but by Proposition 12. 61 we know that this is unlikely. 

Thus the overall algorithm is as in Algorithm l3.1l We prove that the algorithm 
is correct in Section [3.1.2.21 

Algorithm 13. II FindMappingElement(A', P, Q) 

1 Input: Generating set X for G = Sz(g) and points P ^ Q E O . 

2 Output: A random element g of G, as an SLP in AT, such that Pg ~ Q. 
II Assumes the existence of a function SolveEquation that solves p.3p . 
// Also assumes that DiscreteLog returns a positive integer if a 

/ / discrete logarithm exists, and otherwise, 
repeat 



3 // Find random element a of pseudo-order g — 1 
repeat 

4 a := Random(G) 

5 until \a\ \q—\ 

6 (Af'(A), a;) := DiAGONALiSE(a) 

7 // Now M'{\Y = a 
repeat 

8 h := Random(G) 

9 flag := SolveEquation(/i=^"\ Px^\ Qa:^^) 

10 until flag 

11 Let (7, S) be a solution to p.3p . 

12 / := DiscreteLog(A,7) 

13 fc := DiscreteLog(A, ^) 

14 until fc > and / > 



15 return a'/ia'"' 



3.1.2.1. Solving equation p.3|) . We will now show how to obtain the solutions 
of p.3p . It might happen that there arc no solutions, in which case the method 
described here will detect this and return with failure. 
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By letting P' = (gi : q2 ■ qz ■ 94), Q' = (^i ■ r2 : : ri) and g = [g^j], we can 
write out p.3p and obtain 

(qi5i,ia*+^ + (7252,1" + 93534""^ + 94g44Q^"*"^)/3*^^ = Cri 
(giffi,2a*^^ + 92.92.20! + 93.93,20:"^ + 94.94, 2a~*"^)/3 = C'r2 

(3.4) 

(9151,3"*^^ + 92.92,3a + 93.93,3" ^+94.94,30 * ^^Cr3 

(9131,40*'''^ + 9232,4" + 9353,4""^ + 9454,4a"*"^)/3"*"^ = C'r4 

for some constant C S F,. Henceforth, we assume that 7^ for i = 1, . . . , 4, since 
this is the difficult case, and also very likely when q is large, as can be seen from 
Proposition 12.101 A method similar to the one described in this section will solve 
p.3p when some ri — and Algorithm 13.11 does not assume that all 7^ 0. 

For convenience, we denote the expressions in the parentheses at the left hand 
sides of p.4p as K, L, M and N respectively. Since C = we obtain three 

equations 

= rsr^^L (3.5) 

and in particular /? is a function of a, since 

f3 = y^L-iAfr^Va. (3.6) 

If we eliminate /3 and /3* by using the first two equations into the third in (13. 5p . we 
obtain 

NKr2r3 = rir^ML (3.7) 

and by raising the first equation to the i-th power and substituting into the second, 
we obtain 

nrf = rl+'/^M'/'K. (3.8) 

Also, C = AljS^^r^^ and if we proceed similarly, we obtain two more equations 

7V*Lr*+^ = M'+Vzr^ (3.9) 

^^t/2^1+t/2 ^ M'+t/2^^^t/2^ ^3^^Q^ 

Now (13. 7p . (|3.8p . p.9p and (|3.10p are equations in a only, and by multiplying 
them by suitable powers of a, they can be turned into polynomial equations such 
that a only occurs to the powers ti for i = 1, . . . , 4 and to lower powers that are 
independent of t. The suitable powers of a are 2t + 2, t + t/2 + 2, 2t + 3 and 
2t + i/2 + 2, respectively. 
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Thus we obtain the following four equations. 

a cg + a cio + a cn + a ci2 

The Ci and c?j are polynomials in a with degree independent of t, for i = 1, . . . , 16 
and j = 1, ... ,4 respectively, so p. lip can be considered a linear system in the 
variables a"* for n = 1, . . . , 4, with coefficients Ci and dj. Now the aim is to obtain a 
single polynomial in a of bounded degree. For this we need the following conjecture. 

Conjecture 3.4. For every P' = Px^^,Q' = Qx^^,g = where P,Q e O, 
/i e G and x G GL(4, q), if we regard (|3.1ip as simultaneous linear equations in the 
variables a"* for n = 1, ... ,4, over the polynomial ring Vq[a], then it has non-zero 
determinant. 

In other words, the determinant of the coefficients q is not the zero polynomial. 

Lemma 3.5. Assume Coniecture \ZA\ . Given P',Q' and g as in Coniecture \3A\ 
there exists a univariate polynomial f{a) € ^q[o] of degree at most 60, such that 
for every (7, (5) e x that is a solution for {a, (3) in (|3.3p . we have f[j) = 0. 

Proof. So far in this section we have shown that if we can solve l|3.1ip we can 
also solve p.3p . From the four equations of (|3.1ip we can eliminate a* . We can solve 
for a^* from the fourth equation, and substitute into the third, thus obtaining a 
rational expression with no occurrence of a** . Continuing this way and substituting 
into the other equations, we obtain an expression for a* in terms of the q and the 
di only. This can be substituted into any of the equations of p. lip , where a"* for 
n — 1 , . . . , 4 is obtained by powering up the expression for a* . Thus we obtain a 
rational expression fi{a) of degree independent of t. We now take /(a) to be the 
numerator of /i. 

In other words, we think of the a"* as independent variables and of p. lip as 
a linear system in these variables, with coefficients in Fg[Q;]. By Conjecture 13.41 we 
can solve this linear system. 

Two possible problems can occur: / is identically zero or some of the denomina- 
tors of the expressions for a"*, ?i = 1, . . . , 4 turn out to be 0. However, Conjecture 
13. 41 rules out these possibilities. By Cramer's rule, the expression for a* is a rational 
expression where the numerator is a determinant, so it consists of sums of prod- 
ucts of Ci and dj . Each product consists of three Ci and one dj . By considering the 
calculations leading up to p. lip , it is clear that each of the products has degree at 
most 15. Therefore the expression for a^* and hence also /(a) has degree at most 
60. 

We have only done elementary algebra to obtain f{a) from (13. lip , and it is clear 
that p. lip was obtained from p.4p by elementary means only. Hence all solutions 



di 
d2 
d3 
di 



(3.11) 
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(7,(5) to p.4p must also satisfy /(7) — 0, although there may not be any such 
solutions, and /(a) may also have other zeros. □ 

Corollary 3.6. Assume Conjecture 13.41 There exists a Las Vegas algorithm 
that, given P',Q' and g as in Conjecture 13.41 finds all (7, i5) G x that are 
solutions of (j3.3p . The algorithm has expected time complexity O(logg) field oper- 
ations. 

Proof. Let /(a) be the polynomial constructed in Lemma 13.51 To find all 
solutions to (|3.3|) . we find the zeros 7 of /(a), compute the corresponding S for 
each zero 7 using p.6p . and check which pairs (7, i5) satisfy (|3.4|) . These pairs must 
be all solutions of p.3p . 

The only work needed is simple matrix arithmetic and finding the roots of 
a polynomial of bounded degree over F^. Hence the expected time complexity is 
O(logg) field operations. The algorithm is Las Vegas, since by Theorem 11.11 the 
algorithm for finding the roots of /(a) is Las Vegas, with this expected time com- 
plexity. □ 

By following the procedure outlined in Lemma 13.51 if is straightforward to 
obtain an expression for f{a), where the coefficients are expressions in the entries 
of g, P' and Q' , but we will not display it here, since it would take up too much 
space. 

3.1.2.2. Correctness and complexity. There are two issues when considering the 
correctness of Algorithm l3.1l Using the notation in the algorithm, we have to show 
that (|3.3p has a solution with high probability, and that the integers k and I are 
positive with high probability. 

The algorithm in Corollary 13.61 tries to find an element in the double coset 
TigH, where g — h^ \ and we will see that this succeeds with high probability 
when g ^ Ng(H), which is very likely. 

If the element a has order precisely q — 1, then from the discussion at the 
beginning of Section 13.1.21 we know that the integers k and / will be positive. By 
Proposition we know that it is likely that a has order precisely q—1 rather than 
just a divisor of q — 1. 



Lemma 3.7. Assume Conjecture Yi .A\ Let G = Sz{q) and let P £ O and a,h £ G 
be given, such that \a\ = q — 1. Let Q Cz O be uniformly random. If h ^ N(3((a)), 
then 

^^i|^^Pr[Q.P(«)M«)]<i^ (3.12) 

where f{a) is the polynomial constructed in Lemma 13.51 // instead h G NG'((a)) 
then 

{q - l)(g^-l ) 
(g2 + 1)2 



Pv[QeP{a)h{a)]= ''' >^ . (3.13) 



Proof. If ft, ^ NG((a)) then by Lemma |(a) h{a)\ = {q - 1)^, and hence 
\P{a)h{a)\^{q-lf. 
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On the other hand, for every Q S O we have 

|{(fci,fc2) I fci, fc2 e (a) , Phhk2 = Q}K deg/ (3.14) 

since this is the equation we consider in Section I3.1.2.1[ and from Lemma 13.51 we 
know that aU solutions must be roots of /. Thus \P (a) h {a)\ ^ \{a,) h (a)| / deg/. 
Since Q is uniformly random from O, and \0\ = + 1, the result follows. 

If h e NG((a)) then (a) h (a) = h{a), and \Ph{a)\ = |(a)| if (a) does not fix 
Ph. By Proposition [TH the number of cyclic subgroups of order g — 1 is (''^') and 
\0\ — 1 such subgroups fix Ph. Moreover, if (a) fixes Ph then Ph (a) — {Ph}. Thus 

Pr[Q eP{a)h (a)] = Pr[0 G Ph (a)] Pr[P/ia 7^ P/i] + 
and the result follows. □ 



Theorem 3.8. Assume Conjecture VS.il and an oracle for the discrete logarithm 
problem in ¥q. Alaorithm VS.W is a Las Vegas algorithm with expected time complex- 
ity + Xoig) + log(9) loglog((7)) loglog((7)) field operations. The length of the 
returned SLP is 0(loglog((7)) . 

Proof. We use the notation from the algorithm. Let g = h^ , H — , 
P' — Px^^ and Q' = Qx~^ . CoroUarv 13.61 implies that line [TOl will succeed if 
Q' G P'TigH. If |a| = g — 1, then H = (a), and the previous condition is equivalent 
to Q £ P (a) h (a). Moreover, if |a| = (7 — 1 then line [T3] will always succeed. 

Let s be the probability that the return statement is reached. Then s satisfies 
the following inequality. 

s > Pr[|a| = q - l](Pr[/i € NaUa))] Pr[Q G P (a) h (a) \ h € NG((a))]^ 

+ Pr[/i ^ NG((a))] Pr[Q e P (a) h (a) | h i NG((a))]). 

Since h is uniformly random, using Theorem 12.31 we obtain 



(3.16) 



\G\ q\q^ + 1) 



From Proposition 12 . 61 and Lemma 13.71 we obtain 



s > 



2(9-1) 

[q-lf 2 {q-lf , 2 2 + (g-l)(q2_l) 



+ 0(1/(7). (3.18) 



_(g2 + l)deg/ g2(g2 + i) (^2 + 1) ^2(^2 + 1) (g2 + 1)2 

0(g-l) 
2(g-l)deg/ 

By Proposition [2111 the expected number of iterations of the outer repeat state- 
ment is 0(loglog(g)). The expected number of random selections to find h is 0(l). 
By Theorem ll.H diagonahsing a matrix uses expected O(logg) field operations, 
since it involves finding the eigenvalues, i.e. finding the roots of a polynomial of 
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constant degree over ¥g. Clearly, the expected time complexity for finding a is 
0(^ + log(g) log log (q)) field operations. 

From Corollary [321 it follows that line[9]uses O(logg) field operations. We con- 
clude that Algorithm 13 . 1 1 uses expected 0[{£,+XD(,Q)+^og{q) log log (g)) log log {q)) 
field operations. 

Each call to Algorithm 13.11 uses independent random elements, so the double 
cosets under consideration arc uniformly random and independent. Therefore the 
elements returned by Algorithm 13.11 must be uniformly random. The returned SLP 
is composed of SLPs of a and h, both of which have length 0(loglog{g)) because of 
the number of iterations of the loops. □ 

Corollary 3.9. Assume Conjecture 13.41 and an oracle for the discrete loga- 
rithm problem in Fg. There exists a Las Vegas algorithm that, given (X) ^ GL(4, q) 
such that G = {X) = Sz{q) and P £ O, finds a uniformly random g £ Gp, 
expressed as an SLP in X. The algorithm has expected time complexity 0((^ + 
-l-log(g') log log(q)) loglog(g)) field operations. The length of the returnedSLP 
is O(loglog(q)). 

Proof. We compute g as follows. 

(1) Find random x G G. Let Q = Px and repeat until P ^ Q. 

(2) Use Algorithm O to find y G G such that Qy = P. 

(3) Now g = xy £ Gp. 

We see from Algorithm 13.11 that the choice of y does not depend on x. Hence g 
is uniformly random, since x is uniformly random. Therefore this is a Las Vegas 
algorithm. The probability that P = Q is 1/ jOj, so the dominating term in the 
complexity is the call to Algorithm 13.11 with expected time complexity given by 
Theorem O 

The element g will be expressed as an SLP in X , since x is random and elements 
from Algorithm 13.11 are expressed as SLPs. Clearly the length of the SLP is the same 
as the length of the SLPs from Algorithm 13. II □ 

Remark 3.10. In fact, the algorithm of CoroUarv 13.91 works in any conjugate 
of Sz(g), since in Algorithm [XT] the diagonalisation always moves into the standard 
copy. 

3.1.3. Constructive membership testing. We will now give an algorithm 
for constructive membership testing in Sz(g). Given a set of generators X, such 
that G = {X) = Sz{q), and given g £ G, we want to express g as an SLP in X. 
The matrix degree is constant here, so we set ^ = ^(4). Membership testing is 
straightforward, using the first steps from the algorithm in Theorem 13. 2[ and will 
not be considered here. 

3.1.3.1. Preprocessing. The algorithm for constructive membership testing has 
a preprocessing step and a main step. The preprocessing step consists of finding 
"standard generators" for 02(Gp^) — T and 02(Gpo). In the case of 02(Gp^) the 
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standard generators are defined as matrices {S{ai, Xi)}"^^ U {<S'(0, 61)}"=! ^'^^ some 
unspecified Xi G F^, such that {oi, . . . , a„} and {61, . . . , 5„} form vector space bases 
of Vq over F2 (so n = log2 q — 2m + 1). 

Lemma 3.11. There exist algorithms for the following row reductions. 

(1) Given g — M' {X)S{a,b) e Gp^, find h e 02{Gp^) expressed in the 
standard generators, such that gh — M'{X). 

(2) Given g — S{a,b)M'{X) G Gp^, find h G 02{Gp^) expressed in the 
standard generators, such that hg = M'{\). 

(3) Given Poo P ^ O, find g G 02{Gp^) expressed in the standard genera- 
tors, such that Pg = Pq . 

Analogous algorithms exist for Gp^. If the standard generators are expressed as 
SLPs of length 0(n), the elements returned will have length 0(nfog(g)). The time 
complexity of the algorithms is 0(fog(q)'^) field operations. 

Proof. The algorithms are as follows. 

(1) (a) Solve a linear system of size log(q) to construct the linear combination 

a = 92.1/92,2 = Z]?"i^^ ^i'^i "^itli G F2. Let h' = Hiri^^ '^'(ai, x^)"' 
and g' = gh', so that g' = M'{X)S{0, b') for some b' G F,. 

(b) Solve a linear system of size \og{q) to construct the linear combination 
b' = g's,i/9i3 = E-Z^' P^h with A G F2. Let h" = n?"^' ^(0, b./)P^ 
and g" = g'h", so that g" = M'(A). 

(c) Now h = h'h". 

(2) Analogous to the previous case. 

(3) (a) Normalise P so that P = (a6 + a*+^ + b* : b : a : 1) for some a,b E¥q. 

Solve a linear system of size log{q) to construct the linear combination 
a = X^ilV^ cti^i "^itl^ € F2. Let ft.' = H?™!^^ S'(ai,Xi)"". 

(b) Solve a linear system of size log(g) to construct the linear combination 

b + = E^ITi^' P^b^ with A e F2. Let h" = ri'lTi^' -5(0, &.)^' 

(c) Now g = /I'ft" maps P to Pq. 

Clearly the dominating term in the time complexity is the solving of the linear 
systems, which requires O(log(g)'^) field operations. The elements returned are 
constructed using 0(\og{q)) multiplications, hence the length of the SLP follows. □ 

Theorem 3.12. Assume Coniecture lS.Al and an oracle for the discrete logarithm 
problem in ¥q . The preprocessing step is a Las Vegas algorithm that finds standard 
generators for 02(Gp^) and 02{Gpg), as SLPs in X of length 0(loglog(9)^) . It 
has expected time complexity 0((^ + xoiq) + log((7) loglog((7))(loglog((7))^) field 
operations. 

Proof. The preprocessing step proceeds as follows. 
(1) Find random elements ai G Gp^ and 61 G Gp^ using the algorithm from 
CoroUarv 13.91 Repeat until ai can be diagonalised to M'(A) G G, where 
A G F^ and A does not lie in a proper subfield of F^. Do similarly for bi. 



3.1. SUZUKI GROUPS 



59 



(2) Find random elements a2 E Gp^ and 62 G Gpg using the algorithm from 
Corollary 13.91 Let ci = [ai,a2], C2 — [61, &2]- Repeat until |ci| = |c2| =4. 

(3) Let Yoc = {ci, fli} and Yq = {c2, 61}. As standard generators for 02(Gp^) 
we now take 



It follows from (|2.9p and (|2.12p that p.l9p provides the standard generators for 
Gp^. These are expressed as SLPs in X, since this is true for the elements returned 
from the algorithm described in Corollary 13. 91 Hence the algorithm is Las Vegas. 

By Corollary 13.91 the expected time to find ai and 61 is 0((^ + xoiq) + 
log(g) loglog((?)) loglog(g)), and these are uniformly distributed independent ran- 
dom elements. The elements of order dividing q—1 can be diagonalised as required. 
By Theorem 12.11 the proportion of elements of order q—1 in Gp^ and Gpg is 
(f){q — l)/{q — 1). Hence the expected time for the first step is 0((^ + Xoiq) + 
log(g) loglog(q))(loglog(g))^) field operations. 

Similarly, by Proposition 12. 1 II the expected time for the second step is 0((^ + 
XD{q) +log(g)loglog((j))(loglog(g))2) field operations. 

By the remark preceding the theorem, L determines two sets of field elements 
{oi, . . . , a2m+i} and {61, . . . , 62m+i}- In this case each = aA' and hi — b\^'^^~^^\ 
for some fixed a, 5 e F^, where A is as in the algorithm. Since A does not lie in a 
proper subfield, these sets form vector space bases of Fg over F2 . 

To determine if oi or bi diagonalise to some M'(A) it is sufficient to consider 
the eigenvalues on the diagonal, since both oi and 61 are triangular. To determine 
if A lies in a proper subfield, it is sufficient to determine if |A| | 2" — 1, for some 
proper divisor n of 2m + 1. Hence the dominating term in the complexity is the 
first step. □ 

3.1.3.2. Main algorithm. Now we consider the algorithm that expresses g as an 
SLP in X. It is given formally as Algorithm 13.21 

Theorem 3.13. Alaorithm \'6.2\ is a Las Vegas algorithm with expected time com- 
plexity 0{£^-\-\og{qY) field operations. The length oftheSLP is 0(log(g)(loglog((;))^). 

Proof. First observe that since r is randomly chosen we obtain it as an SLP. 
On line H] we check if gr fixes a point, and from Proposition 12.61 we see that the 
probability that the test succeeds is at least 1/2. 

The elements found at lines [S] and [7] are constructed using Lemma 13.111 so we 
can obtain them as SLPs. 

The element h found at line [in] clearly has trace x, and it is constructed using 
Lemma l3.11[ so we obtain it as an SLP. From LemmaH^we know that h is conjugate 
to Af'(A) and therefore must fix 2 points of O. Hence lines [T3l and fT4l make sense, 
and the elements found are constructed using Lemma [3.111 and therefore we obtain 
them as SLPs. 



2m+l 




(3.19) 



and similarly we obtain U for O2 (Gp,,). 
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Algorithm O ElementToSLP(L, [/, 

1 Input: Standard generators L for Gp^ and U for Gpq. Matrix g e {X) = G. 

2 Output: An SLP for g in X. 
repeat 

3 r :— Random(G) 

4 until gr has an eigenspace Q E O 

5 Find zi € Gp^ using L such that Qzi = Pq. 

6 // Now (gry^^ e Gp„. 

7 Find Z2 € Gp^ using [/ such that (grY^ Z2 = M'(A) for some A G F^. 

8 // Express diagonal matrix as SLP 

9 x:= Tr(M'(A)) 

10 Find h = [5(0, (a:*)i/4), 5(0, 1)^] using LUU. 

11 // Now Tr(/i) = X. 

12 Let Pi, P2 G C be the fixed points of h. 

13 Find a G Gp^ using L such that Pi a ~ Pq. 

14 Find 6 G Gp^ using C/ such that {P2a)b = Poo- 

15 // Now /i"'' e Gp^ n Gp, = 7^, so h""^ e {Af'(A)±i}. 

16 if h"'' = Af'(A) 



then 

17 Let w be an SLP for {h°'''z2^Y^\~'^ . 

18 return w 
else 

19 Let w be an SLP for {{h'''')-'^ z^^yi\-'^ . 

20 return w 



end 

The only elements in H that are conjugate to h are M'(A)*^, so clearly 
must be one of them. 

Finally, the elements that make up w were found as SLPs, and it is clear that 
if we evaluate w we obtain g. Hence the algorithm is Las Vegas. 

From Lemma EH] it follows that lines El H [lOl [13] and [H use 0(log(g)3) field 
operations. 

Finding the fixed points of h, and performing the check at line 2] only amounts 
to considering eigenspaces, which uses O(logg) field operations. Thus the expected 
time complexity of the algorithm is 0(i^ + logg'^) field operations. 

The SLPs of the standard generators have length 0(loglog((7)^). Because of the 
row operations, w will have length 0(log(g)(loglog((7))^). 

□ 

3.1.4. Conjugates of the standard copy. Now we assume that we are given 
G ^ GL(4, (7) such that G is a conjugate of Sz(q), and we turn to the problem of 
finding some g G GL(4, q) such that G^ = Sz(g), thus obtaining an isomorphism to 
the standard copy. The matrix degree is constant here, so we set ^ = ^(4) 

Lemma 3.14. There exists a Las Vegas algorithm that, given {X) ^ GL(4, 
such that {X)^ = Sz{q) for some h £ GL(4, g), finds a point P G O'^ = 
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{Qh ^ I Q G O}. The algorithm has expected time complexity 
0((e + log(g) loglog(g)) log \og{q)) 

field operations. 

Proof. Clearly O'* is the set on which {X) acts doubly transitively. For a 
matrix A/'(A) e Sz{q) we see that the eigenspaces corresponding to the eigenvalues 
X±{t+i) will be in O. Moreover, every element of order dividing q — 1, in every 
conjugate G of Sz{q), will have eigenvalues of the form , fi^^ for some /i G , 

and the eigenspaces corresponding to /.t='=(*+^) will lie in the set on which G acts 
doubly transitively. 

Hence to find a point P e O'' ^ it is sufficient to find a random g e {X) , of order 
dividing q — 1. We compute the pseudo-order using expected 0(log(g) log log((7)) 
field operations, and by Proposition 12. 6( the expected time to find the element is 
0((^ + log(g) loglog((7)) loglog((7)) field operations. We then find the eigenspaces of 
9- 

Clearly this is a Las Vegas algorithm with the stated time complexity. □ 

Lemma 3.15. There exists a Las Vegas algorithm that, given {X) ^ GL(4, g) 
such that {X)'^ — Sz((7) where d = diag(fii, (i2 7 ^3, ^4) € GL{4:,q), finds a diagonal 
matrix e G GL(4, 5) such that {XY = Sz(g), using expected 

0((e + log(g) loglog(9)) loglog(g) + \X\) 

field operations. 

Proof. Let G = {X). Since G"* — Sz{q), G must preserve the symplectic form 



K ^dJd^ 












C?iC?4 








d2dz 








^2^3 








didi 












(3.20) 



where J is given by (|2.24p . Using the Meat Axe, we can find this form, which is de- 
termined up to a scalar multiple. Hence the diagonal matrix e = diag(ei, 62, 63, 64), 
that we want to find, is also determined up to a scalar multiple (and up to multi- 
plication by a diagonal matrix in Sz(g)). 

Since e must take J to K, we must have Ki^^ = did^ = 6164 and K2A = c?2'^3 = 
6263. Because e is determined up to a scalar multiple, we can choose 64 = 1 and 
ei = Ki^4. Hence it only remains to determine 62 and 63. 

To conjugate G into Sz{q), we must have Pe G O for every P e ^ , which is 
the set on which G acts doubly transitively. By Lemma l3.14l we can find P = {pi : 
P2 : P3 : 1) G , and the condition Pe — (piA'i_4 : ^2^2 : ^363 : 1) G O is given 
by (|2.13p and amounts to 

P2P3K2,3 + (^262)* + (^363)*+' - PlKi,4 = (3.21) 
which is a polynomial equation in the two variables 62 and 63. 
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Notice that we can consider e\ to be the variable, instead of 62, since if a; = e|, 
then 62 — ■ Similarly, we can let 63"''^ be the variable instead of 63, since if 
y = 63^^ then 63 — 1/^^*/^. Thus instead of (|3.2ip we obtain a linear equation 

pIx + pl+^y = piKi^i - P2P3K2,3 (3.22) 

in the variables x, y. Thus the complete algorithm for finding e proceeds as follows. 

(1) Find the form K that is preserved by G, using the MeatAxe. 

(2) Find P e 0'^~^ using Lemma EIH 

(3) Let P — (pi P2 ■ P3 ■ P4) and find Q — {qi ■ q2 ■ ■ 94) using Lemma[3T4] 
until the following linear system in the variables x and y is non-singular. 

pIx + pl'^^y = piKi^4 ~ P2P3K2.3 

(3.23) 

q^x + ^3+ y = gii^i,4 - q2q3K2,3 

By Proposition HHni the probability of finding such a Q is 1 — 0(1/^^). 

(4) Let (a, (3) be a solution to the linear system. The diagonal matrix e = 
diag(i4ri4, \/c?, /3^~*/^, 1) now satisfies — Sz{q). 

By Lemma 13.141 and Section 11.2.10.11 this is a Las Vegas algorithm that uses ex- 
pected 0((^ + log(9) loglog(g)) loglog((7) + \X\) field operations. □ 

Lemma 3.16. There exists a Las Vegas algorithm that, given subsets X, Yp 
and Yq o/GL(4,g) such that 02(Gp) < {Yp) Gp and 02{Gq) < (Yq) Gq, 
respectively, where {X) — G, G^ = Sz{q) for some h G GL(4, q) and P ^ Q E O'^ , 
finds k G GL(4, q) such that [G^Y — Sz((7) for some diagonal matrix d G GL(4, q). 
The algorithm has expected time complexity 0(|X|) field operations. 

Proof. Notice that the natural module F = of is uniserial with 
four non-zero submodules, namely Vi — {{vi,V2,V3,V4) € | vj = 0,j > for 
I = 1, ... ,4. Hence the same is true for (Yp) and (Yq) (but the submodules will be 
different) since they lie in conjugates of J-H. 

Now the algorithm proceeds as follows. 

(1) Let y = be the natural module for (Yp) and (Yq). Find composition 
series V = Vf > > Vf > Vf and V = > > > using 
the MeatAxe. 

(2) Let Ui = Vf, U2 = n V^, U3 = V:f n and C/4 = . For each 
i = 1, . . . , 4, choose Ui e Ui. 

(3) Now let k be the matrix such that k~^ has Ui as row z, for z = 1, . . . , 4. 

We now motivate the second step of the algorithm. 

One can choose a basis that exhibits the series {V^^}, in other words, such that 
the matrices acting on the module are lower triangular with respect to this basis. 
Similarly one can choose a basis that exhibits the series l^^^j- 

On the other hand, since P Q, there exists g' £ Sz{q) such that Phg' = Poo 
and Qhg' = Pq. If we let z — hg', then (Yp)^ and (Yq)^' consist of lower and upper 
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triangular matrices, respectively. Thus, the rows of z ^ form a basis of V that 
exhibits the series {^^} and the series l^;*^! i^i reversed order. 

With respect to this basis, it is clear that dim O — 1, dim O = 1 
and that all the Ui are distinct. Hence the basis chosen in the algorithm exhibits 
the series {V^^}, and it exhibits the series l^i*^! reverse order. Therefore the 
chosen k satisfies that (Xp)^ lower triangular and (Xo)^ upper triangular. The 
former implies that kz^^ is a lower triangular matrix, and the latter that it is an 
upper triangular matrix, and hence it must diagonal. 

Thus the matrix k found in the algorithm satisfies z = kd for some diagonal 
matrix d e GL(4, g). Since Sz(g) = — = {G^Y, the algorithm returns a 
correct result, and it is Las Vegas because the MeatAxe is Las Vegas. Clearly the 
expected time complexity is the same as the MeatAxe, so the algorithm uses 0(|Ar|) 
field operations. □ 

Theorem 3.17. Assume Conjecture 13.41 There exists a Las Vegas algorithm 
that, given a conjugate (X) ofSz{q), finds g G GL(4, q) such that (X)^ = Sz{q). The 
algorithm has expected time complexity 0((^ + log{q) loglog((7))(loglog((7))^ + \X\) 
field operations. 

Proof. Let G — {X). By Remark l3.10[ we can use CoroUarv 13.91 in G, and 
hence we can find generators for a stabiliser of a point in G, using the algorithm 
described in Theorem 13. 121 In this case we do not need the elements as SLPs, so a 
discrete log oracle is not necessary. 

(1) Find points P,Q £ O'' "' using Lemma [SHI Repeat until P ^ Q. 

(2) Find generating sets Yp and Yq such that 02(Gp) < {Yp) < Gp and 
02(Gq) < (Yq) ^ Gq using the first three steps of the algorithm from 
the proof of Theorem 13.121 

(3) Find k E GL(4, g) such that [G^'Y ^ Sz((7) for some diagonal matrix 
d e GL(4, g), using Lemma [3.161 

(4) Find a diagonal matrix e using Lemma 13.151 

(5) Now g — ke satisfies that G^ = Sz(q). 

Be Lemma 13.141 13.161 and I3.15| and the proof of Theorem I3.12|, this is a Las 
Vegas algorithm with expected time complexity as stated. □ 

3.1.5. Tensor decomposition. Now assume that G ^ GL((i, g) where G = 
Sz(g), d> A and q = 2^™+^ for some m > 0. Then AutFg = {ij}), where if) is the 
Frobenius automorphism. Let W be the given module of G of dimension d and let 
V be the natural module of Si{q) of dimension 4. From Section fl. 2. 71 and Section 
12.1.31 we know that 

W V^^'' ® V^^"' F'^"""' (3.24) 

for some integers 5j io < *i < • • • < *n-i ^ 2m. In fact, we may assume that 
«o = and clearly d = dimPl^ = (dimF)" = 4". As described in Section [1.2.71 we 
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now want to tensor decompose W to obtain an effective isomorphism from W to 
V. 

3.1.5.1. The main algorithm. We now describe our main algorithm that finds 
a tensor decomposition of W when q is large. It is sufficient to find a flat in W. For 
fc = 0, . . . , n—1, let Hk ^ GL(4, q) be the image of the representation corresponding 
to V"^ ^ , and let pk '■ G Hk be an isomorphism. Our goal is then to find pk 
effectively for some k. 

We begin with an overview of the method. Our approach for finding a flat in W 
is to consider eigenspaces of an element of G of order dividing q—1. By Proposition 
12.61 we know that such elements are easy to find by random search. 

Let g ^ G where \g\ =^ q — 1, and let t = 2"'+^. By Proposition 12.41 we know 
that for k — 0, . . . ,n — I, pk{g) has four distinct eigenvalues A^^ and A^^*^^'' for 
some Afc G F^. Also, the eigenspaces of Pk{g) have dimension 1. Our method for 
finding a flat in W is to construct a line as a suitable sum of eigenspaces of g. 

Let E be the multiset of eigenvalues of g, so that = d and every element of 
E has the form 

A^Af •••A^- (3.25) 
where each Afe G and each jk G {±1, ±{t + 1)}. A set E' C that satisfies 

• \E'\ = n 

• Xk ^ E' or A^:^ e E' for each k = 0, . . . ,n - 1 

is a set of base values for E. Clearly E is easily calculated from E' . 

Moreover A^ = Aq , and since \g\ = q — 1 we must have |Afe| = q—1 for 
k = 0, . . . ,n - 1. For every Os^fc<Zs$n-lwe have < 2*'' ± 2*' < g - 1 and 
therefore Afc ^ Xf^. 

First we try to find a set of base values for E. 

Conjecture 3.18. Assume m> n. Let S — ^y/e/f : e, f e E \ e ^ and 

P ^ {x e S \ yee E3y e {a;,a;-\a;*+\a;"*-i} : 

{eyx,eyx~^,eyx*'^^,eyx~'^~^} C E}. (3.26) 

Then the following hold: 

• P contains a set of base values for E. 

• // the twists do not have a subsequence ir < i,. + 1 < V + 2, then \P\ — 2n 
and hence P consists of the base values and their inverses. 

If the twists have a subsequence of the form in the Conjecture, or more generally 
a subsequence of length /, then Hi^o Ar+i S P for every j = 0, . . . ,1 — 1. Hence we 
need more conditions to extract the base values. 

Conjecture 3.19. Let P be as in Lemma \^AEl Define P' C P to be those 
X € P for which there exists — ao < ai <■■■< an ^ 2m such that a;"' e P for 
every i — 0, . . . ,n. Then \P'\ = 2n and hence P' consists of the base values and 
their inverses. 
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Let Si denote the sum of eigenspaces of g corresponding to the eigenvalues 
Aq" • • • Ai • • • Xl^Si and Aq" • • • A^^^ • • • X^^^i , where each jk ranges over {±1, ±{t + 1)}. 

Lemma 3.20. If dim Sk = 2 • 4"^^ for some ^ fc ^ n — 1, then Sk is a line in 

W. 

Proof. For each i = 0, ... ,n — 1, let e^. be an eigenvector of Pi{g) for the 
eigenvalue Af , where ji G {±l,±(i + 1)}. Observe that W contains the following 
subspace. 

L = {ej„ ® • • • ® ej„_, I j, e {±1, ±{t +l)},i^k, jk e {±1}) 

Clearly, L is of the form F'^'" (g) • • • «) V"^'""' (g)A® yi,'"*^ p-'A'"-^ where 

dim^ = 2, so L is a line in W of dimension 2 • 4"^^. 
If w = (g • • • (g ej„_j e i, then 

vg = ejopo(g) (g • • • (g ej„_ip„_i(g) = A^^e^,, g) • • • g) A^Ti ej„_i = 

and hence w G 5^. Therefore L ^ Sk, so if dim5fc = 2 • 4"~^ then L ~ Sk and thus 
Sfc is a line in W. 

□ 

The success probability of the algorithm for finding a flat relies on the following 
Conjecture. 

Conjecture 3.21. Let d = 4" with n> 1 be fixed. If q = 2^™+^ andm ^ 
then for every absolutely irreducible G ^ GL((i, q) wit/i G = Sz((7) anc? every g (z G 
with \g\ ^ q — 1, iwe /laue dimS'i = 2 • 4"""'^ for some 5j i ^ n — 1. 

The algorithm for finding a flat is shown as Algorithm 13.31 

Theorem 3.22. Assume Conjectures \'S.18\. [5.191 awd [3.211 Algorithm 13.31 is a 
Las Vegas algorithm. The algorithm has expected time complexity 

0((e(rf) + log((7) loglog((z'')) loglog((z)) 

field operations. 

Proof. The expected number of iterations in the initial loop is 0(l). Hence 
the expected time for the loop is 0(^(d) + d"^ log(g) loglog(g'^)) field operations. 
If IffI =9^1 then line [7] will succeed, and Conjecture 13.211 asserts that line [TT] 
will succeed for some i. If |f;| is a proper divisor of g — 1 then these lines might 
still succeed, and the probability that jgl = q — 1 is high. By Proposition 12.61 the 
expected number of iterations of the outer repeat statement is 0(loglog(g)). 

If line [12] is reached, then the algorithm returns a correct result and hence it is 
Las Vegas. 

To find the eigenvalues of g, we calculate the characteristic polynomial of g 
using 0((i'^) field operations, and find its roots using Theorem ll.il By Conjectures 
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Algorithm 13.31 TensorDecomposeSz(X) 

1 Input: Generating set X for G = Sz{q) witli natural module W, where 
dimW^ = 4", n > 1, g = 2^"+^ with m> n and W is absolutely 
irreducible and over . 

2 Output: A line 5" in W. 

II FindBaseValues is given by Conjectures 13.181 and 13.191 
repeat 

/ / Find random element g of pseudo-order q~ \ 
repeat 

3 g := Random(G') 

4 until \g\ | g — 1 

5 E :— ElGENVALUES(5) 

6 TV := FindBaseValues(£') 

7 until |iV| = n 

8 for i := to n — 1 

do 

// LctiV = {Ao,...,A„_i} 

9 := {a^o" ■ • • a. • • • I Jfe e {±1, ±{t + 1)}} 

u { A^o" • • • ■ ■ ■ I Jk e {±1, ±(i + 1)}} 

10 := J2eeE, Eigenspace(5, e) 

11 if dimS'j = 2-4"-i 

then 

12 return Si 
end 

end 



13.181 and 13.191 the rest of the algorithm uses 0(^(Pn\og{q)^ field operations. Thus 
the theorem follows. □ 

3.1.5.2. Small field approach. When q is small, the feasibility of Algorithm l3.3l 
is not guaranteed. In that case the approach is to find standard generators of G 
using permutation group techniques, then enumerate all tensor products of the form 
p.24p and for each one we determine if it is isomorphic to W. 

Since q is polynomial in d, this will turn out to be an efficient algorithm which 
is given as Algorithm l3.4l It finds a permutation representation of G Sz(g), which 
is done using the following result. 

Lemma 3.23. There exists a Las Vegas algorithm that, given (X) ^ GL(c!, q) 
such that q = 2^™^^ with m > and {X) = Sz{q), finds an effective injective 
homomorphism H : (X) — s- Sym(O) where \0\ = q^ + 1. The algorithm has expected 
time complexity 0(^q^{£_{d) + \X\ + d'^) + d^) field operations. 

Proof. By Theorem l2.H Sz{q) acts doubly transitively on a set of size + 1. 
Hence G — {X) also acts doubly transitively on O, where \0\ = + 1, and we can 
find the permutation representation of G if we can find a point P E O. The set O 
is a set of projective points of F^, and the algorithm proceeds as follows. 
(1) Choose random g E G. Repeat until |f;| \ q — 1. 
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(2) Choose random x E G and let h — g^. Repeat until [<?, /i]* = 1 and 
[9,h]^l. 

(3) Find a composition series for the module M of {g, h) and let P C M be 
the submodule of dimension 1 in the series. 

(4) Find the orbit O = P'^ and compute the permutation group S ^ Sym(O) 
of G on O, together with an effective isomorphism 11 : G ^ S". 

By Proposition 12.41 elements in G of order dividing q — 1 fix two points of O, 
and hence {g^h) ^ Gp for some P S O if and only if g and h have a common fixed 
point. All composition factors of M have dimension 1, so a composition series of 
M must contain a submodule P of dimension 1. This submodule is a fixed point 
for (g, ft.) and its orbit must have size + 1, since |G| — q^{q^ + l)(<z — 1) and 
\Gp\ = q^{q - 1). It follows that P G O. 

All elements of G of even order lie in the derived group of a stabiliser of some 
point, which is also a Sylow 2-subgroup of G, and the exponent of this subgroup is 
4. Hence [5, = 1 if and only if ((7, h) lie in a stabiliser of some point, if and only 
if g and h have a common fixed point. 

To find the orbit O — P'^ we can compute a Schreier tree on the generators A", 
with P as root, using 0(|A'| |0|(i^) field operations. Then H{g) can be computed 
for any g E {X) using 0(|0| (P) field operations, by computing the permutation on 
O induced by g. Hence H is effective, and its image S is found by computing the 
image of each element of X. Therefore the algorithm is correct and it is clearly Las 
Vegas. 

We find g using expected 0((^(d) + log((j') log log((7'')) log log(q)) field op- 
erations and we find h using expected 0((^((i) + (P)q^) field operations. Then P 
is found using the Meat Axe, in expected 0{d'^) field operations. Thus the result 
follows. □ 

Proposition 3.24. Let G = {X) ^ Sym(O) such that G 9^ Sz{q) = H. There 
exists a Las Vegas algorithm that finds x, h, z E G as SLPs in X such that the map 

X ^ S{1,0) 

h ^ M'{X) (3.27) 
z I— > T 

is an isomorphism. Its time complexity is 0((7'^ log(q)^) . The length of the returned 
SLPs are 0(q) . 

Proof. Follows from [BB07[ Theorem f]. □ 

Theorem 3.25. Assume Conjecture 13.241 Algorithm 13.41 is a Las Vegas algo- 
rithm with expected time complexity 

0{q\^{d) + \X\d^+dHog\og{q)+q^\og{qf)+d^\X\ (^^™^) + d)) 

field operations. 
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Algorithm 13.41 SmallFieldTensorDecompose(X) 

1 Input: Generating set X for G = Sz{q) with natural module W, where 
dimW' = 4", n > 1, g = 22"+i, to > and is absolutely 
irreducible and over 

2 Output: A change of basis matrix c which exhibits W as p.24p . 
// Find permutation representation, i.e. permutation group and 
// corresponding isomorphism 

3 {tt,Pg) := SuzukiPermRep(G) 

4 x,h,z :— StandardGens(Pg) 

5 Evaluate the SLPs of x, ft,, z on G to obtain the set Y. 

6 H := (Y) 

7 T:= {{n, . . . ,i„) I < < • • • < z„ < 2to} 
/ / Let V be the natural module of H 

8 for gT 

do 

9 C/ := l/V'-i . . . ® y'^'" 

/ / Find isomorphism between modules 

10 iflag,c) := ModuleIsomorphism([/, W^) 

11 if flag = true 

then 

12 return c 
end 

end 



Proof. The permutation representation tt can be found using Lemma 13.231 
and the elements x, /i, z are found using Conjecture 13.241 Testing if modules are 
isomorphic can be done using the MeatAxe. 

If the algorithm returns an element c then the change of basis determined by c 
exhibits 14^ as a tensor product, so the algorithm is Las Vegas. 

The lengths of the SLPs of h, z is 0{q^ loglog(g)), so we need □(d'^g^ loglog((7)) 
field operations to obtain Y . The set T has size . Module isomorphism testing 
uses 0(|X|c?'^) field operations. Hence by Conjecture 13.241 and Theorem 13.231 the 
time complexity of the algorithm is as stated. □ 

3.1.6. Constructive recognition. Finally, we can now state and prove our 
main theorem. 

Theorem 3.26. Assume the Suzuki Conjectures and an oracle for the discrete 
logarithm problem in ¥g. There exists a Las Vegas algorithm that, given {X) ^ 
Gh{d,q) satisfying the assumptions in Section \l.2.7[ with q =^ 2'^™+^, to > and 
(X) ?^ Sz(q), finds an effective isomorphism ip : {X) — > S7,{q) and performs prepro- 
cessing for constructive membership testing. The algorithm has expected time com- 
plexityO{^{d)i(P + ilog\ogiq))^)+d'' loglog(d)+d4 log(g) loglog(g)(log(d) + 

loglog(g)) +log(g)(loglog(g))3 + XD{q)(^og\og{q)f) field operations. 

The inverse ofip is also effective. Each image of ip can be computed using 
field operations, and each pre-image using expected 



0{ad) + log{q f + d' log(g)(loglog(g))2) 
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field operations. 

Proof. Let V be the module of G = {X). From Section [?.1.3I we know that 
d = 4" where n ^ 1. The algorithm proceeds as follows: 

(1) If = 4 then use Theorem [3T7l to obtain y e GL{A,q) such that = 
Sz{q), and hence an effective isomorphism ip : G Sz{q) defined by 
9 '-^ 9^- 

(2) If m > n, use Algorithm 13.31 to find a flat L ^ V. Then use the tensor 
decomposition algorithm described in Section 11.2.10.31 with L, to obtain 
X € GL{d, q) such the change of basis determined by x exhibits F as a 
tensor product U ^ W, with dim U ~ 4. Let Gjj and Gw be the images 
of the corresponding representations. 

(3) If instead m ^ n then use Algorithm 13.41 to find x. 

(4) Define pu : Gu<^w Gu as 9u®9w^ 9u and let Y = {/3c/(g^) | g e X}. 
Then (Y) is conjugate to Sz((7). 

(5) Use Theorem[XI7|to get y e GL(4,g) such that {Y)'" = Sz{q). 

(6) An effective isomorphism ip : G Sz(g) is given by g i— s- pu{g'^)^ . 

The map p;/ is straightforward to compute, since given g G GL{d, q) it only involves 
dividing g into submatrices of degree 4"~^, checking that they are scalar multiples 
of each other and returning the 4x4 matrix consisting of these scalars. Since x 
might not lie in G, but only in ^G'L{d,q)iG) ^ G:¥q, the result of pu might not have 
determinant 1. However, since every element of has a unique 4th root, we can 
easily scale the matrix to have determinant 1 . Hence by Theorems I3.22[ 13.251 and 
13.17^ the algorithm is Las Vegas and any image of (p can be computed using 0[d'^) 
field operations. 

In the case where we use Algorithm 13.41 we have m ^ n, hence (^!!\) < d and 
q ^ d. The expected time complexity to find x in this case is 0(^(d)d^ + + 
dloglog((i))) field operations. 

By TheoremlXm finding L uses 0{{^{d) + d^ log{q) loglog(g'')) loglog(g)) field 
operations. From Section [1.2.10.3l finding x uses 0((i'^ log(g)) field operations when 
a flat L is given. By Theorem I3.17( finding y uses expected 0((^ + xoiq) + 
log((7) loglog(g))(loglog((7))^ + |y|) field operations, given a random element or- 
acle for (Y) that finds a random element using O(^) field operations. In this case 
we can construct random elements for (Y) using the random element oracle for 
{X), and then we will find them in 0(^((i)) field operations. 

Hence the expected time complexity is as stated. Finally, Lp~^{g) is computed 
by first using Algorithm 13.21 to obtain an SLP of g and then evaluating it on X. 
The necessary precomputations in Theorem 13.121 have already been made during 
the application of Theorem 13.171 and hence it follows from Theorem 13.131 that the 
time complexity for computing the pre-image of g is as stated. □ 
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3.2. Small Ree groups 

Here we will use the notation from Section 12.21 We will refer to Conjectures 
13.44113. 50l 13. 51(13. 521 13. 571 and l3.60l simultaneouslv as the small Ree Conjectures. We 
now give an overview of the algorithm for constructive recognition and constructive 
membership testing. It will be formally proved as Theorem 13.621 

(1) Given a group G ^ Ree(q), satisfying the assumptions in Section f 1.2. 71 we 
know from Section 12.2.31 that the module of G is isomorphic to a tensor 
product of twisted copies of either the natural module of G or its 27- 
dimensional module. Hence we first tensor decompose this module. This 
is described in Section r3. 2. 51 

(2) The resulting group has degree 7 or 27. In the latter case we need to 
decompose it into degree 7. This is described in Section r3. 2. 61 

(3) Now we have a group of degree 7, so it is a conjugate of the standard copy. 
We therefore find a conjugating element. This is described in Section [5.2.4l 

(4) Finally we are in Ree((7). Now we can perform preprocessing for construc- 
tive membership testing and other problems we want to solve. This is 
described in Section 15.2.31 

Given a discrete logarithm oracle, the whole process has time complexity slightly 
worse than 0(d^ -t-log(q)'^) field operations, assuming that G is given by a bounded 
number of generators. 

3.2.1. Recognition. We now consider the question of non-constructive recog- 
nition of Ree(g), so we want to find an algorithm that, given {X) ^ GL{d, q), decides 
whether or not {X) = Kee{q). We will only consider this problem for the standard 
copy, i.e. we will only answer the question whether or not {X) — I{ee{q). 

Theorem 3.27. There exists a Las Vegas algorithm that, given {X) ^ GL(7, q), 
decides whether or not (X) = Ree(g). The algorithm has expected time complexity 
0((To(log(g))(|X| + \og{q))) field operations. 

Proof. Let G = Ree(q), with natural module M. The algorithm proceeds as 
follows: 

(1) Determine ii X C G and return false if not. All the following steps must 
succeed in order to conclude that a given g G X also lies in G. 

(a) Determine if g & S0(7, q), which is true if detg — 1 and if gJg^ = J, 
where J is given by (|2.40p and where g^ denotes the transpose of g. 

(b) Determine if g £ G2 (q) , which is true if g preserves the algebra multi- 
plication • of M . The multiplication table can easily be precomputed 
using the fact that ii v,w G M then v ■ w = f{v (g) w), where / is a 
generator of }iomc{M (g) M, M) (which has dimension 1). 

(c) Determine if 17 is a fixed point of the exceptional outer automorphism 
of G2 (q) , mentioned in Section 12.2.21 Computing the automorphism 
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amounts to extracting a submatrix of the exterior square of g and 

then replacing each matrix entry x hy . 
(2) If {X) is not a proper subgroup of G, or equivalently if {X) is not con- 
tained in a maximal subgroup, return true. Otherwise return false. By 
Proposition 12.201 it is sufficient to determine if {X) cannot be written 
over a smaller field and if (X) is irreducible. This can be done using the 
algorithms described in Sections 11.2.10.11 and 11.2.10.21 

Since the matrix degree is constant, the complexity of the first step of the 
algorithm is 0(l) field operations. For the same reason, the expected time of the 
algorithms in Sections [1210 and [II2IE3 is 0(CTo(log((j))(|X| + log(g))) field 
operations. Hence our recognition algorithm has expected time as stated, and it is 
Las Vegas since the Meat Axe is Las Vegas. □ 

3.2.2. Finding an element of a stabiliser. Let G — Kee{q) = {X). In this 
section the matrix degree is constant, so we set ^ = ^(7). The algorithm for the 
constructive membership problem needs to find independent random elements of 
Gp for a given point P. This is straightforward if, for any pair of points P, Q G O, 
we can find g e G as an SLP in X such that Pg = Q. 

The general idea is to find an involution j G G by random search, and then 
compute CgO) = (j) x PSL(2,g) using the Bray algorithm described in Section 
11.2.9.21 The given module restricted to the centraliser splits up as in Proposition 
12.181 and the points P,QgO restrict to points in the 3-dimensional submodule. If 
the restrictions satisfy certain conditions, we can then find an element g £ Cg(j) 
that maps these restricted points to each other, and we obtain g as an SLP in the 
generators of Caij) using Theorem 11.121 It turns out that with high probability, 
we can then multiply g by an element that fixes the restriction of P so that g also 
maps P to Q. A discrete logarithm oracle is needed in that step. Since the Bray 
algorithm produces generators for the centraliser as SLPs in X, we obtain g as an 
SLP in X. 

If any of the steps fail, we can try again with another involution j, so using 
this method we can map P to Q for any pair of points P,Q £ O. 

It should be noted that it is easy to find involutions using the method described 
in Section ri.2.51 since by Corollarv l2.241 it is easy to find elements of even order by 
random search. 

3.2.2.1. The involution centraliser. To use the Bray algorithm we need to pro- 
vide an algorithm that determines if the whole centraliser has been generated. Since 
we know what the structure of the centraliser should be, this poses no problem. If 
we have the whole centraliser, the derived group should be PSL(2, q), and by Propo- 
sition [2T271 with high probability it is sufficient to compute two random elements of 
the derived group. Random elements of the derived group can be found as described 
in Section [T.2.61 
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We can therefore find the involution centrahser CciJ) ^ G and CgO)' = 
PSL(2,g). 

Lemma 3.28. There exists a Las Vegas algorithm that, given (Y) ^ G such that 
(Y) ~ Cg(j) for some involution j G G, finds 

• the submodule Sj ^ Vj described in Proposition \2. 18l 

• an effective (Y) -module homomorphism (fy '■ Vj ~* Sj: 

• the induced map Lpo : P(Vj ) — s- P(S'j), 

• the corresponding map ipc from the 7 -dimensional representation ofCcij) 
to the i- dimensional representation. 

The maps can be computed using 0(i) field operations. The algorithm has expected 
time complexity 0(|K|) field operations. 

Proof. This is a straightforward appUcation of the MeatAxe, so the fact that 
the algorithm is Las Vegas and has the stated time complexity follows from Sec- 
tion 11.2.10.11 The maps consist of a change of basis followed by a projection to a 
subspace, and so the Lemma follows. □ 

Lemma 3.29. Use the notation of Lemma l3.28l There exists a Las Vegas algo- 
rithm that, given H = (Y) = (^^(CgO)') for an involution j G G, finds effective 
isomorphisms pc : (Y) PSL(2,g), 773 : PSL(2,g) ^ (Y) and ttt : (Y) ~* GaUY ■ 

The map is the symmetric square map o/PSL(2,<7); both LpQa-Kj and n^o pQ 
are the identity on (Y). The maps pa and tt^ can be computed using 0(l) field 
operations and can be computed using 0(log(g)'^) field operations. The algorithm 
has expected time complexity 0((^ + log{q) loglog((7)) loglog((7) + \Y\ + Xoiq)) field 
operations. 

Proof. By Proposition I2.18( the group (Y) is an irreducible 3-dimensional 
copy of PSL(2, q), so it must be a conjugate of the symmetric square of the natural 
representation. By using a change of basis from the algorithm in Theorem 11.121 
we may assume that it is the symmetric square. Moreover, we can use Theorem 
II. 121 to constructively recognise (Y) and obtain the map pc- We can also solve the 
constructive membership problem in the standard copy, and by evaluating straight 
line programs we obtain the maps tts and ny. 

It follows from Theorem I 1 . 1 21 that the expected time complexity is as stated. □ 

3.2.2.2. Finding a mapping element. We now consider the algorithm for finding 
elements that map one point of O to another. The notation from Lemma [3. 281 and 
[SlUwill be used. 

If we let M — (x) (y) then we can identify P(5'j) with the space of quadratic 
forms in x and y modulo scalars, so that Sj — (x^) {xy) {v^)- Then (^gICgO)') 
acts projectively on ¥{S.j) and \f{Sj)\ = |p2(F,)| = {q^ - l)/{q - I) = q^ + q + 1. 

Proposition 3.30. Use the notation from Lemma W?^ and W^ 
(1) The number of points in O that are contained in Ker((/Jy) is q + 1. 
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(2) The map ipo restricted to O is not injective, and \ipo{0)\ ^ q^. 

Proof. (1) The map (^y is the projection onto S'j, so the kernel are those 

vectors that he in Tj. From the proof of Proposition 12 . 18) with respect to 
a suitable basis, Tj is the — 1-eigenspace of h{—l). Hence by Proposition 
\OnP{Tj)\ + 

(2) Since \0\ ^ + 1 and \P{Sj)\ = + g + 1, it is clear that the map is 
not injective. In the above basis, the map (pv is defined by (pi, . . . ,737) 1-^ 
{p2,Pi,P6)- Hence if Poo ^ P & O then ifoiP) = (a* ■ [abY ~ : -c- 
{bcy - a^'+^ ^ a'b^'). 

If a = c = we do not get a point in P^(Fg) and if a = and 
c ^ we obtain q points. Now let a ^ and let {x, y) e such that 
+ 2/ 7^ 0. Then —x^ — y is & square in if and only if {—x"^ — y)* is a 
square, so {—x^ — yY~* is always a square. Hence, if c = 0, = x^*- and 
a = (-.t2 - the image of P is (1 : a; : y) G p2(F,). This gives 

q^ — q points. 

□ 



Proposition 3.31. Under the action of H = (Y) = (pGiCcij)'), the set P{Sj) 
splits up into 3 orbits. 

(1) The orbit containing xy, i.e. the non- degenerate quadratic forms that rep- 
resent 0, which has size q{q + l)/2. 

(2) The orbit containing x'^ + y^ , i.e. the non-degenerate quadratic forms that 
do not represent 0, which has size q{q — l)/2. 

(3) The orbit containing (and y"^), i.e. the degenerate quadratic forms, 
which has size q + 1 . 

The pre-image in SL(2, (7) of pG{^PG{GG{j)')xy) is dihedral of order 2{q — 1), gen- 
erated by the matrices 



(3.28) 



a 




' 1" 


a-^ 




-1 



where a is a primitive element of ¥q . 

b 



Proof. Let g 
:2t 



a 

c d 



be any element of PSL(2,g), so that the symmetric 



square h — S (g) — irsig) € (pGiCGij)')- Notice that 

-ab 

h = ac ad -\- be bd 
—ad d^ 



(3.29) 



Let P = {xy)h, Q = {x'^)h and i? = (x^ + y'^)h be points in f{Sj). Then P = 
(ac)x2 + {ad + bc)xy + {bd)y'^ , and the equation P — x^ implies that b = Q or d ~ 0. 
If = then d = or a ~ Q which is impossible since dett; = 1. Similarly, we 
cannot have d — 0, and hence xy and x^ are not in the same orbit. 
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Algorithm 13.51 FindMappingElement(X, CgO), Q) 

1 Input: Generating set X for G = Ree((7). 

Points P ^ Q € O such that both tfo{P) and fo{Q) are non-degenerate and 
represent 0. Involution centraHser CgO) with the maps from 
Lemma [5^^ and 

2 Output: An element h G, written as an SLP in X, such that Ph — Q. 

3 Ps-.^ifioiP) 

5 if 3 upper triangular g e PSL(2, q) such that P37r3((7) = Q3 
then 



6 i?3 := ipo{Pt^7{t^3{9))) 

7 II Now i?3 = Q3 

8 Find c G GL(3, g) such that [xy)c = R3 

9 Let D be the image in PSL(2, q) of the diagonal matrix in (|3.28p 

10 s := 717(^3 

11 ll^ow {s)^^^\Hn,) 

12 (5, 2; := Diagonalise(s) 

13 // Now S = s^ 

14 if 3A G such that (P7r7(7r3(5))z)/i(A) = Qz 

then 

15 i := DiscreteLog((5, /i(A)) 

16 // Now = h{X) 

17 return 7r7(7r3(5))s* 
end 



end 

18 return fail 

Similarly, let Q = a^x^ — {ah)xy + b^y^ , and then the equation Q ~ + 
implies that a = or = 0, which is impossible. Hence and x^ + are not in 
the same orbit. 

Finally, let R = {a'^ + c^)x^ — {ab + cd)xy + {b'^ + tP)y^ , and the equation R — xy 
implies that + = 0. Since —1 is not a square in Fg, we must have a — c ^ Q. 
But this is impossible since det g = 1. Hence x'^ + y'^ and xy are not in the same 
orbit. 

To verify the orbit sizes, consider the stabilisers of the three points. Clearly 
the equation Q ~ x^ implies that = 0, so the stabiliser of x"^ consists of the 
(projections of the) lower triangular matrices. There are 9 — 1 choices for a and q 
choices for c, so the stabiliser has size q{q — l)/2 modulo scalars, and the index in 
H is therefore g + 1 . 

Similarly, the equation P = xy implies that ac = bd = 0. If a = d = we 
obtain a matrix of order 2 and if 6 = c = we obtain a diagonal matrix. It follows 
that the stabihser is dihedral of order q — 1, and that the pre-image in SL(2, q) is 
as in ((X^ . 

Finally, in a similar way we obtain that the stabiliser of x^ + has order q+1, 
and hence the three orbits make up the whole of P{Sj). □ 



The algorithm that maps one point to another is given as Algorithm 13.51 
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3.2.2.3. Finding a stabilising element. The complete algorithm for finding a 
uniformly random element of Gp is then as follows, given a generating set X for G 
and P eO. 

(1) Find an involution j G G. 

(2) Compute probable generators for CgU) using the Bray algorithm, and 
probable generators for CgO)' by taking commutators of the generators 
of Caij). 

(3) Use the Meat Axe to verify that the module for Cg(j)' splits up only as 
in Proposition 12.181 Use Theorem 11.131 to verify that we have the whole 
of CgUY- Return to the previous step if not. 

(4) Compute the maps 1^90 and ipa using Lemma 13.281 Return to the first 
step if P lies in the kernel of ipv, if foiP) is degenerate, or if it does not 
represent 0. 

(5) Compute the maps from Lemma 13.291 

(6) Take random gi g Caij)' and let Q — Pgi. Then (po{Q) — fo{P)'PG{9i), 
so Q is not in the kernel of (pv, and (po{Q) is non-degenerate and repre- 
sents 0. Repeat until P ^ Q. 

(7) Use Algorithm 13.51 to find 92 G CgO)' such that Q = Pg2- Return to the 
previous step if it fails, and otherwise return gig2^ ■ 

3.2.2.4. Correctness and complexity. 

Lemma 3.32. If P ^ O is uniformly random, such that P ^ Ker((y9y), then 
ipo{P) is non- degenerate and represents with probability at least 1/2 + 0(l/g). 

Proof. Since P is uniformly random and ipo was chosen independently of 
P, it follows that ipo{P) is uniformly random from ipo{0). From the proof of 
Proposition 13.301 with probability 1 — 0(l/g), (po{P) = x"^ + bxy + cy^ where 
(1 : 6 : c) is uniformly distributed in P^(¥q) such that 6^ + c 7^ 0. 

This represents if the discriminant 6^ — c is a non-zero square in ¥q. This is 
not the case if b^ = c, but since b^ + c 0, this implies 6 = c = 0. If 5^ — c 7^ then 
it is a square with probability 1/2, so 

L Q g 

and the Lemma follows. □ 

Lemma 3.33. If P,Q G ipoiO) are uniformly random, such that ipa{P) and 
foiQ) represent 0, then the probability that there exists an element g G PSL(2, (7), 
such that the pre-image of g in SL(2, is upper triangular and P'K^{g) = Q, is at 
least 1/2 + 0(1/(7). 

Proof. Let P ~ + axy + fey^, Q = x"^ + Ixy + ny'^ and 

" " (3.30) 

1/u ^ ' 
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where (1 : a : 6) and {1 : I : n) are uniformly distributed in P^(Fq), u,v E¥q and 
M ^ 0. 

We want to determine u, v such that PTT^{g) — Q. Note that g is the pre-image 
in SL(2, q) of an element in PSL(2, q) and therefore ±m determine the same element 
of PSL(2, q). The map tts is the symmetric square map, so 

,,2 



'r3(.9)-52(g)- 
This leads to the following equations 



u —uv v 
1 v/u 

1/1*2 



(3.31) 



1*2 = C (3.32) 
-uv + a = Cl (3.33) 
v'^ + avu-^ + bu-'^ = Cn (3.34) 

for some C £ ¥^ . We can solve for u in l|3.32p and for v in p.33p , so that l|3.34p 
becomes 

C2(n-m2) + a2-fe = (3.35) 

This quadratic equation has a solution if the discriminant — {n~m? ) (a^ — 6) e (F^ ) ^ . 
This does not happen if n = or 6 = a^, which each happens with probability 
q/{q^ + 9+1). If the discriminant is non-zero then it is a square with probability 
1/2. Therefore, the probability that we can find g is 

Pr[-(n - m^){a^ - b) e (W^)'] = ^(1 - „ \ 

^ 2 q-^ + q + 1 

This is 1/2 + 0(1/(7) and the Lemma follows. □ 



Theorem 3.34. // Algorithm 13.51 returns an element g, then Pg — Q. If P 
and Q are uniformly random, such that ipa{P) and ipoiQ) represent 0, then the 
probability that Alaorithm \'S.5\ finds such an element is at least 1/4 + 0(1/(7). 



Proof. By Proposition 13.311 the point i?3 is in the same orbit as xy, so the 
element c at line [8] can easily be found by diagonalising the form corresponding to 
i?3. Then ^^{DY G PIr^ is of order {q — l)/2. Hence s also has order (g— l)/2, and 

By definition of Q, there exists h € GgU)' such that Ph = Q, and if we let 
R — P-K-!{g) then RTTT{g)~^h = Q and (po{R) — R3 — Qa- Hence ipG{TTi{g)~^h) € 
i?Q3, and therefore nT{g)~^h e (Pq}{Hr^). 

By Proposition 13.311 ipQ^{H]i^) is dihedral of order q — 1, and s generates a 
subgroup of index 2. Therefore Pr[TTT{g)^^h £ (s)] = 1/2, which is the success 
probability of line [TH 

It is straightforward to determine if A exists, since h{X) is diagonal. The success 
probability of line [5] is given by Lemma 13.331 Hence the success probability of the 
algorithm is as stated. □ 
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Theorem 3.35. Assume an oracle for the discrete logarithm problem in ¥q. 
The time complexity of Alaorithm \'6.5\ is 0(log((?)^ + Xoiq)) field operations. The 
length of the returned SLP is 0(log((7) loglog((7)) . 

Proof. By Lemma r3. 331 line [S] involves solving a quadratic equation in F^, and 
hence uses 0(l) field operations. Evaluating the maps and uses 0(log(9)'^) 
field operations, and it is clear that the rest of the algorithm can be done using 
0[xD{q)) field operations. 

By Theorem 11.121 the length of the SLP from the constructive membership 
testing in PSL(2, q) is O(\og{q) loglog((7)) , which is therefore also the length of the 
returned SLP. □ 

Corollary 3.36. Assume an oracle for the discrete logarithm problem in ¥q. 
There exists a Las Vegas algorithm that, given (X) ^ GL(7, q) such that G = 
{X) = Ree((7) and P € O, computes a random element of Gp as an SLP in X. The 
expected time complexity of the algorithm is \og\og{q) + log(g)"^ + Xd{<i)) field 
operations. The length of the returned SLP is 0(log((7) loglog((;)) . 

Proof. The algorithm is given in Section [5'.2. 2. 31 

An involution is found by finding a random element and then use Proposition 
11.41 Hence by Corollary 12.241 the expected time to find an involution is O + 
log((7) loglog((7)) field operations. 

As described in Section 11.2.9.21 the Bray algorithm will produce uniformly 
random elements of the centraliser. Hence as described in Section 11.2.61 we can 
also obtain uniformly random elements of its derived group. By Proposition 12.27], 
two random elements will generate PSL(2, q) with high probability. This implies 
that the expected time to obtain probable generators for PSL(2,(7) is 0(l) field 
operations. 

By Proposition 13.311 the point Q is equal to P with probability 2/{q{q + 1)) 
and by Lemma r3.321 the point P do not represent zero with probability 1/2, so the 
expected time of the penultimate step is 0(l) field operations. 

Since the points P, Q can be considered uniformly random and independent in 
Algorithm 13. 5[ the element returned by that algorithm is uniformly random. Hence 
the element returned by the algorithm in Section [3.2.2.31 is imiformly random. 

The expected time complexity of the last step is given by Theorem 13.351 and 
13.341 It follows by the above and from Lemma 13.281 and 13.291 and Corollary 12.231 
that the expected time complexity of the algorithm in Section [3.2.2.31 is as stated. 

The algorithm is clearly Las Vegas, since it is straightforward to check that the 
element we compute really fixes the point P. □ 

Remark 3.37. The elements returned by the algorithm in CoroUarv 13.361 are 
not uniformly random from the whole of Gp, but from GpnCcO). Hence, to obtain 
generators for the whole stabiliser, it is necessary to execute the algorithm at least 
twice, with different choices of the involution j. 
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Remark 3.38. The algorithm in CoroUary 13.361 works in any conjugate of 
Ree(g), since it does not assume that the matrices lie in the standard copy. 

3.2.3. Constructive membership testing. We now describe the construc- 
tive membership algorithm for our standard copy Ree((7). The matrix degree is 
constant here, so we set ^ — ^(7). Given a set of generators X, such that G = 
(X) ~ Ree((3'), and given an element g ^ G, we want to express g as an SLP in X. 
Membership testing is straightforward, using the first step from the algorithm in 
Theorem 13.271 and will not be considered here. 

The general structure of the algorithm is the same as the algorithm for the 
same problem in the Suzuki groups. It consists of a preprocessing step and a main 
step. 

3.2.3.1. Preprocessing. The preprocessing step consists of finding "standard 
generators" for O3 (Gp^) — U{q) and O3 (Gp,,). In the case of O3 (Gp^) the stan- 
dard generators are defined as matrices 

{5(a„ x„ y,)}r=i U {^(0, 6„ z,)}r=i U {5(0, 0, cOj^^i (3.36) 

for some unspecified Xi, yi, Zi e Fg, such that {ai, . . . , a„}, {&i, . . . , 6„}, {ci, . . . , c„} 
form vector space bases of Fg over F3 (so n — \og^ q = 2m +1). 

Lemma 3.39. There exist algorithms for the following row reductions. 

(1) Given g = h{X)S{a,b,c) e Gp^, find h € 03(Gp^) expressed in the 
standard generators, such that gh = h{X). 

(2) Given g — S{a,b, c)h{X) G Gp^ , find h £ 03(Gp^) expressed in the 
standard generators, such that kg — h{X). 

(3) Given Poo ^ P € O, find g € 03(Gp^) expressed in the standard genera- 
tors, such that Pg ~ Pq . 

Analogous algorithms exist for Gpg. If the standard generators are expressed as 
SLPs of length 0(n) , the elements returned will have length 0(nlog(g)). The time 
complexity of the algorithms is 0(log(<7)'^) field operations. 

Proof. The algorithms are as follows. 
(1) (a) Solve a linear system of size log(q) to construct the linear combi- 
nation —a — —(72.1/52,2 = X^i™!^^ '^i'^i with ai € F3. Let h' = 
VS^i^ S{a^,x^,y,Y^ and g' = gh! , so that g' = h{X)S{0,b' , c') for 
some 6', c' G ¥q. 

(b) Solve a linear system of size log(q) to construct the linear combi- 
nation —b' = —531/533 = IZi^i'^ Pi^i with Pi e F3. Let h" = 
n?ri^^'5(0,6^,y,)'3' and g" = g'h", so that g" = h'{X)S{0,0,c") for 
some c" e ¥q. 

(c) Solve a linear system of size log(q) to construct the linear combi- 
nation -c" = -54,1/54,4 = EilTi^^TiCi with 7i e F3. Let h'" = 
Ul=^' 5(0, 0, Ziy^ and g'" = g"h"', so that 5"' = h'{X). 

(d) Now h = h'h"h'". 
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(2) Analogous to the previous case. 

(3) (a) Normalise P so that P — {1 : pi : ■ ■ ■ : pq) . 

(b) Let a = -pf , /3 = (pia +^2)^* and 7 = ((a/3)* + pi{a*+^ + /3*) + 
P2a* +^3)^*- Then 5'(a,/?, 7) maps P to Foo- 

(c) Use the algorithm above to find h e 03(Gp^ ) such that S{a, (3, = 
1, and hence express S{a,P,"f) in the standard generators. 

Clearly the dominating term in the time complexity is the solving of the linear 
systems, which requires 0(\og{q)^) field operations. The elements returned are 
constructed using 0(\og{q)) multiplications, hence the length of the SLP follows. □ 

Theorem 3.40. Given an oracle for the discrete logarithm problem in ¥q, 
the preprocessing step is a Las Vegas algorithm that finds standard generators for 
OslGp^) andOz[Gp„) as ZLPsinX of length O(\og{q){\og\og{q))^) . It has expected 
time complexity 0((^ loglog((7) + log{q)^ + Xoiq)) loglog((7)) field operations. 

Proof. The preprocessing step proceeds as follows. 

(1) Find random elements ai e Gp^ and bi e Gp^ using the algorithm from 
CoroUarv 13.361 Repeat until oi can be diagonalised to h{X) E G, where 
A G and A does not lie in a proper subfield of ¥q. Do similarly for bi. 

(2) Find random elements 02 G Gp^ and 62 € Gpj, using the algorithm from 
CoroUarv 13.361 Let ci = [ai,a2], C2 = [bi,b2]- Repeat until |ci| = |c2| = 9. 

(3) Let Foo = {ci, ai} and Yq — {c2, 61}. As standard generators for 03(G'p^ ) 
we now take U = Ui U U2 where 

2m+l 

Ui^ [j {c^Kicir^} (3.37) 

and 

C/2= U {[cf^c^M (3.38) 

Similarly we obtain L for O3 (Gpp). 
It follows from and ((05)) that (piTT]) and provides the standard 

generators for Gp^ . These are expressed as SLPs in X, since this is true for the ele- 
ments returned from the algorithm described in Corollarv l3.36l Hence the algorithm 
is Las Vegas. 

By CoroUarv I3.36[ the expected time to find oi and bi is 0(^loglog((7) + 
log{q)^ + Xoiq)), and these are uniformly distributed independent random ele- 
ments. The elements of order dividing q — I can be diagonalised as required. By 
Proposition 12.151 the proportion of elements of order q — 1 in Gp^ and Gpg is 
(j){q — l)/{q — 1). Hence the expected time for the first step is 0((^ loglog((7) -f 
log{q)^ + Xd('?)) loglog(g)) field operations. 

Similarly, by Proposition 12 . 291 the expected time for the second step is 

0((eioglog(g) + log((7)3 + xniq)) loglog((7)) 

field operations. 



3.2. SMALL REE GROUPS 



80 



By the remark preceding the Theorem, L determines three sets of field elements 
{ai, . . . ,a2m+i}, {61, . . . ,52m+i} and {ci, . . . ,C2m+i}. By (|2.39p . in this case each 
tti = aA*, bi = 6A''^*+^) and Ci = cA'''*^'^-', for some fixed a,b,c£ F^, where A is as 
in the algorithm. Since A does not lie in a proper subfield, these sets form vector 
space bases of over F3. 

To determine if ai or bi diagonalise to some h{X) it is sufficient to consider 
the eigenvalues on the diagonal, since both ai and bi are triangular. To determine 
if A lies in a proper subfield, it is sufficient to determine if |A| | 3" — 1, for some 
proper divisor n of 2m + 1. Hence the dominating term in the complexity is the 
first step. □ 

3.2.3.2. Main algorithm. Given g Cz G wc now show the procedure for express- 
ing g as an SLP. It is given as Algorithm 13.61 

Algorithm[331 ElementToSLP(C/, L, g) 

1 Input: Standard generators U for Gp^ and L for Gp^,. Matrix g £ {X) — G. 

2 Output: SLP for g in X 

3 repeat 



4 repeat 

5 r := Random(G') 

6 until gr has an eigenspace Q £ O and P Q 

7 Find zi € Gp^ using U such that Qzi — Pq. 

8 // Now {gry^ G Gp„ 

9 Find Z2 € Gpg using L such that {gr)'^^Z2 = h{X} for some A e F^ 

10 X := Tr(/i(A)) 

11 until a; — 1 is a square in F^ 



12 // Express diagonal matrix as SLP 

13 Find u = S{0, 0, ^/{x~l)^<^)S{0, 1, 0)^ using UUL 

14 // Now Tr(u) = x 

15 Let Pi, P2 G O he the fixed points of u 

16 Find a S Gp^ using U such that Pia = Pq 

17 Find b E Gp„ using L such that {P2a)b = Poo 

18 // Now m'^^ g Gp^ n Gp„ = H{q), so w"'' G {h{\)^^} 

19 if u"'' = h{X) 



then 

20 Let w be the SLP for (u^^Zj"^)^!' V"! 

21 return W 
else 

22 Let w be the SLP for {{u"'')-'^ z^'^Y^' r''^ 

23 return w 



end 

3.2.3.3. Correctness and complexity. 

Theorem 3.41. Alaorithm \'S.()\ is correct, and is a Las Vegas algorithm. 

Proof. First observe that since r is randomly chosen, we obtain it as an SLP. 
The elements found at lines [7] and [H can be computed using Lemma 15. 39| so we 
can obtain them as SLPs. 
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The element u found at line [T3] clearly has trace x. Because u can be computed 
using Lemma [3.391 we obtain it as an SLP. From Proposition 12.251 we know that u 
is conjugate to h{X)^^ and therefore must fix two points of O. Hence lines [TBI and 
[TTlmake sense, and the elements found can again be computed using Lemma [3.391 
so we obtain them as SLPs. 

Finally, the elements that make up w have been found as SLPs, and it is clear 
that if we evaluate w we obtain g. Hence the algorithm is Las Vegas and the 
Theorem follows. □ 

Theorem 3.42. Aloorithm \3.6\ has expected time complexity 0(f + log(g)^) field 
operations and the length of the returned SLP is O((log(g) loglog(q))^) . 

Proof. It follows immediately from Lemma that the lines 171 [T^ \W\ and 
[T7]use 0(log(q)'^) field operations. 

From Corollary 1 2. 24[ the expected time to find r is O(^) field operations. Half 
of the elements of are squares, and x is uniformly random, hence the expected 
time of the outer repeat statement is 0(^ + log(q)'^) field operations. 

Finding the fixed points of u, and performing the check at line [B] only amounts 
to considering eigenvectors, which is 0(\ogqj field operations. Thus the expected 
time complexity of the algorithm is 0(^ + \og{q)^) field operations. 

From Theorem l3.40l each standard generator SLP has length 0(log(g) (log \og{q))^) 
and hence w will have length 0((log(g) log log(q))^) . □ 

3.2.4. Conjugates of the standard copy. Now assume that we are given a 
conjugate G ofliee{q), and we turn to the problem of finding some g G GL(7, q) such 
that = Kee{q), thus obtaining an algorithm that finds effective isomorphisms 
from any conjugate of Ree(g) to the standard copy. The matrix degree is constant 
here, so we set ^ = ^(7). 

Lemma 3.43. There exists a Las Vegas algorithm that, given {X) ^ GL(7, q) 
such that {X)^ — Ree(g) for some h G GL(7, g), finds a point P G = 
jQ/i"^ I Q G O}. The algorithm has expected time complexity 

0((C + log(g) loglog(9)) log log(g)) 

field operations. 

Proof. Clearly ^ is the set on which {X) acts doubly transitively. For a 
matrix h{\) G Ree((7) we see that the eigenspaces corresponding to the eigenvalues 
A** will be in C Moreover, every element of order dividing (7 — 1 , in every conjugate 
G of Ree((7), will have eigenvalues of the form /i^*, /i^^^^*', for some /i G 

, and the eigenspaces corresponding to /i^* will lie in the set on which G acts 
doubly transitively. 

Hence to find a point P G O'^ it is sufficient to find a random g G {X) of 
order dividing g — 1. We compute the order using expected 0(log(g) \og\og[q)) field 
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operations, and by Corollary 12.241 the expected number of iterations to find the 
element is 0(loglog(g)) field operations. We then find the eigenspaces of g. 

Clearly this is a Las Vegas algorithm with the stated time complexity. □ 

Conjecture 3.44. Let P ^ {1 : p2 pr) e C and Q ^ {1 : q2 ■ ■ ■ ■ ■ qj) & 
for some x G GL(7, g). Then for all a,b,c,s G F^, the ideal in ¥q[a, (3,j,S] 
generated by 



pfl35 - pf+-'ja-'P + P2sap + p^Paa^P - p^c ; 



Peb 



(P4s)^* + {p2P3f*lSa - P3P4saP + P2pla^0^ 
-[p,srp2a--pf+V,'l5a-pf+'^ 
iP2P3?a^l3^ +pf+^P3Wl3-p7a - {p^sf 
as well as the corresponding 3 polynomials from Q, is zero-dimensional. 



(3.39) 
(3.40) 

(3.41) 



Lemma 3.45. Assume Coniecture \3AAi There exists a Las Vegas algorithm that, 
given {X) ^ GL(7, q) such that {X)'^ — Ree((7) where d — diag(o?i, ^2, c?3, 1^4, c?5, c?6i d'j) G 
GL(7, g), finds a diagonal matrix e e GL(7, g) such that {XY = Ree(g). The ex- 
pected time complexity is 0(|X| + (^ + log(g) loglog(g)) loglog((7)) field operations. 

Proof. Let G = {X). Since G"* = Ree(g), G must preserve the symmetric 
bilinear form 



K = dJd = 
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(3.42) 



where J is given by (|2.40p . Using the Meat Axe, we can find this form, which is 
determined up to a scalar multiple. In the case where — -ftr4,4 turns out to be a 
non-square in ¥q we can therefore multiply K with a non-square scalar matrix. 
The diagonal matrix e = diag(ei, 62, 63, 64, 65, eg, 67) that we want to find is also 
determined up to a scalar multiple (and up to multiplication by a diagonal matrix 
in Ree(g)). 

Since e must take J to K, we must have Ki j = didj ~ eiey, -R'2,6 — c^2C^6 = 
6265, i^3,5 = dads — eaes and ^^4,4 = — d| = — e|. Because e is determined up 
to a scalar multiple, we can choose ei — 1, ct — Kij and 64 = s = ^y^^K^. 
Furthermore, 65 = K^^^/ej, and eg — K2.%l^i so it only remains to determine 62 
and 63. 

To conjugate G into Ree((7), we must have Pe G O for every P e \ which 
is the set on which G acts doubly transitively. By Lemma [3.43) we can find P = 
(1 : P2 : P3 : P4 : P5 : P6 : Pi) G \ and the condition Pe = (1 : ^262 : ^363 : 
Pas : Ps^3,5/e3 ■ P6^2,6/e2 : Pz-f^i,?) G C is given by (|2.4f p and amounts to the 
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polynomial equations given in Coniecture l3.44l with a = 62, /? = 63, 7 = e|, 5 — e\, 
Kij = a, K2fi = b, ifa.s = c. 

By finding another random point Q G O'^ using Lemma 13.431 we obtain 6 
polynomials which we label IP, 2P, 3P, IQ, 2Q and iQ. Conjecture 13.441 asserts 
that the resulting ideal is zero-dimensional. 

Now it follows from Proposition l2. 281 that with high probability we have 7^ 
and p^q'^^^ ^ 93*^2*"''^) we repeat until P and Q satisfy this. Then we can solve 
for 5 from IP and 7 from IQ, as 

a^7/3p2*^^ - a^/3p2P3_- a/3sp2P4 + cps 
pff3 

a^dipfqf^'-pf^'qf) 

(3.44) 



^ _ Lt /M^'2 ~ ^'^'2^'3 — ~r I^P5 fo /lo\ 



7 ^ 



and if we substitute these into the other equations we obtain 4 polynomials in 
a and /?, which generate a zero-dimensional ideal. The variety of this ideal can now 
be found using Theorem ll.2l 

Hence we can find 62 and 63. The diagonal matrix 

e = diag(l, 62, 63,5, 1^3,563 \ii:2,6e2"\i^i, 7) 

now satisfies — Ree(g). 

By Lemma 13.431 Lemma 13.441 Theorem 11.21 and Section 11.2.10.11 this is a Las 
Vegas algorithm with the stated time complexity. □ 

Lemma 3.46. There exists a Las Vegas algorithm that, given subsets X , Yp 
and Yq o/GL(7,g) such that O^iGp) < {Yp) Gp and O^iGq) < (Yq) Gq, 
respectively, where {X) — G, G'^ — Y{,ee{q) for some h £ GL(7, q) and P,Q E O'' , 
finds k E GL(7, q) such that [G^)'^ ~ Rce(g) for some diagonal matrix d E GL(7, q). 
The algorithm has expected time complexity 0(|X|) field operations. 

Proof. Notice that the natural module V — W"^ oi U{q)H{q) is uniserial with 
seven non-zero submodules, namely 

Vt = {{vi,V2,V3,V4,V5,Vg,V7) E | Vj = 0, j > i} 

ior i — 1, . . . ,7. Hence the same is true for (Yp) and {Yq) (but the submodules will 
be different) since they he in conjugates of U{q)H{q). 
Now the algorithm proceeds as follows. 

(1) Let V" = be the natural module for (Yp) and (Yq). Find composition 
series V ^ V-^^ > > Vf > Vf > V^^ > > and V ^ > 
VfP > > > > > using the MeatAxe. 

rQ 



(2) Let Ui ^ U2 = n Fg'^, Us = n V^, t/4 = vi" n V^, U5 

4 



n V^, Ue = Vf n and U7 = . For each i = 1, . . . , 7, choose 



Ui E Ui. 

(3) Now let k be the matrix such that k^^ has Ui as row i, for i = 1, . . . , 7. 
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The motivation for the second step is analogous to the proof of Theorem 13.161 
Thus the matrix k found in the algorithm satisfies that z = kd for some diagonal 
matrix d e GL{7,q). Since Ree(q) = G'' — — {G^Y, the algorithm returns a 
correct result, and it is Las Vegas because the MeatAxe is Las Vegas. Clearly it has 
the same time complexity as the MeatAxe. □ 

Theorem 3.47. Assume Conjecture 13.441 and an oracle for the discrete loga- 
rithm problem in Fg. There exists a Las Vegas algorithm that, given a conjugate {X) 
ofIiee{q), finds g G GL(7, (?) such that (X)^ = Kee{q). The algorithm has expected 
time complexity 0((^ loglog(g) + log{q)^ + Xd('?)) loglog((7) + |A"|) field operations. 

Proof. Let G ~ {X). By Remark 13.381 we can use Corollary 13. 361 in G, so we 
can find generators for a stabiliser of a point in G, using the algorithm described 
in Theorem 13.401 

(1) Find points P,Q £ using Lemma [3.431 Repeat until P ^ Q. 

(2) Find generating sets Yp and Yq such that 03(Gp) < (Yp) ^ Gp and 
03(Gq) < (Yq) ^ Gq using the first two steps of the algorithm from the 
proof of Theorem 13.401 

(3) Find k e GL(7, such that [G'^ Y — Ree(g) for some diagonal matrix 
d e GL(7, q), using Lemma [3.461 

(4) Find a diagonal matrix e using Lemma 13.451 

(5) Now g = ke satisfies that G^ — Ree(q). 

Be Lemma 13.141 13.461 and 13.451 and the proof of Theorem 13.401 this is a Las 
Vegas algorithm with time complexity as stated. □ 

3.2.5. Tensor decomposition. Now assume that G ^ GL((i, q) where G = 
Ree(g), d > 7 and q = 32™+! for some m > 0. Then AutF^ = (-0), where -ip is 
the Frobenius automorphism. Let W be the given module of G and let V be the 
natural module of Ree((7), so that dim 14^ — d and dimV = 7. From Section [1.2.71 
and Section [2.2.31 we know that 

W ^ M'f'^° (g) M'f''' (g) • • • (g M"^"""' (3.45) 

for some integers ^ «o < *i < ■ ■ ■ < in-i ^ 2m, and where M is either V or the 
absolutely irreducible 27-dimensional submodule S of the symmetric square S'^{V). 
In fact, we may assume that zq = 0. As described in Section 11.2.71 we now want 
to tensor decompose W to obtain an effective isomorphism from to y or to S. 
In the latter case we also have to decompose S into V to obtain an isomorphism 
between W and V. We consider this problem in Section [3.2.61 

Proposition 3.48. Let G s$ GL(27, such that G = Ree(g), let j e G be an 

involution and let H = Cg(j)' ^ PSL{2,q). Then S\h = Vg Vg © V12 as an H- 

1 1 

module, where dimVi — i. Moreover, Vg is absolutely irreducible, V12 = V^.V^' .V4 
and Vq = 1.1^4''' .1, where k ^ I. 
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Proof. By Proposition \TTEl V\h ^ V3 ® V4 and hence V3 = S'^{V2) and 
V4 = V2 (81 where V2 is the natural module of PSL(2, q) and n > 0. 

1®S\h= S^iVln) = S^iS^iV2))®S^{V2 ® vf) (^^(Fa) ^¥2® vf) (3.46) 
Now consider 



S^{V2 ® vf) ® a2(F2 ® vf) = {V2 ® vf) ^ {V2 ® vf) = 
- {V2 ® V2) ® {vf (g) vf) = {S^{V2) ®l)® {S'^ivf) e 1) = (3.47) 

= 1 e 52(1^2) ® s'^ivf) ® (52(^2) ® s'^ivf )) 



The final sumniand has dimension 9 and is absolutely irreducible because it is of the 



form (imi . Hence ^'^{V2 «) ^2 ) = '5^ (^2) ® ^^(f/ ) and S^{V2 «) ) = 1 © 



as required. 

Furthermore, a direct calculation shows that S^{S^{V2)) has shape 1.1.1 © 
5^(1/2) when restricted to F3, and over Vq the 5^(V2) must fuse with the middle 
composition factor, otherwise the module would not be self-dual {S is self-dual since 
G preserves a bilinear form). 



Similarly, S^{V2) ®V2® V^ has shape 1.1.1 © {S^ {V2) .S^ (V^ )-S^(V2)) over 



of Vi2- This is also proves that the 4-dimensional factor of Vg is not isomorphic to 



Corollary 3.49. Let G GL(27, g) such that G = Rce(g), let j e G be an 
involution and let H = CgU)' — PSL(2,g). Then dimHom//(S'|i/, S'Ih ) — 5. 

Proof. By Proposition 13.481 

HomH(5|ff , S\h) = RomH{V6,S\H) © Hom^ (Fg, S\h) © HomH(l/i2, 

The middle summand has dimension 1, by Schur's Lemma. 

A homomorphism Ve S\h must map the 5-dimensional submodule to itself 
or to 0. The composition factor of dimension 1 at the top can either be mapped to 
itself, or to the factor at the bottom. Hence dimHom^f (Ve, S'lff ) — 2. 

Similarly, dimHom^f (V12, S"!//) = 2 since the top factor can either be mapped 
to itself, or to the bottom factor. Thus the result follows. □ 

Given a module W of the form ()3.45|) , we now consider the problem of finding 
a flat. For fc = 0, . . . , n — 1, let Hk be the image of the representation corresponding 
to M"^'", so Hk GL(7,g) or Hk s$ GL(27,g), and let pk : G ^ Hk he an 
isomorphism. Our goal is then to find pk effectively for some k. 

For A e ¥^ denote Ex = {l, A±*, A±(*~i', A^^^t-i)}. We need the following 
conjectures. 

Conjecture 3.50. Let Rcc{q) = G ^ GL{d,q) have module W of the form 
p.45p . with dimVF = d = 7" for some n > 1. 



F3. Over ¥q each 1 fuses with a corresponding 



(V2) and we obtain the structure 



any of the factors of V12. 



□ 



3.2. SMALL REE GROUPS 



86 



Let g (z G have order q — 1 and let E be its multiset of eigenvalues. If 2m > n 
then there exists A e such that Ex C E, and the sum of the eigenspaces of g 
corresponding to Ex has dimension dimT^. 

Conjecture 3.51. Let Ree(g) = G < Gh{d,q) have module W of the form 
p.45p and dim — d > 7. Let j Cz G be an involution. 

If W has tensor factors both of dimension 7 and 27, then W^IcgO) ^'^^ unique 
submodules W3 and W4 of dimensions 3 and 4, respectively, such that W3 + W4 is 
a point of W of dimension 7. 

Conjecture 3.52. Let Ree(g) = G ^ Gh{d, q) have module W of the form 
p.45p and divciW = 27" for some n > \. Let j € G be an involution and let 
H = Cg(j)'. 

If2m>n then dimHomH(5"^''° |//, M^Ih) = 5, for some ^ k ^ n — 1. 

Theorem 3.53. Assume Conjecture 13.501 There exists a Las Vegas algorithm 
that, given {X) ^ GL{d,q), where q — 3^™+^, d — 7"^, n > 1, 2m > n and 
(X) = Ree(g), with module W of the form (|3.45l) . finds a point ofW. The algorithm 
has expected time complexity 

0{{ad)+dHog{q) loglog(g'^))loglog(g) 

field operations. 

Proof. Let G = (X). By Corollary 12.241 we can easily find g £ G such that 
l^l I q — I. Our approach is to construct a point as a suitable sum of eigenspaces of 
g. We know that for fc = 0, . . . , n — 1, pk{g) has 7 eigenvalues A^*, A^'"*~^\ ^fe 
and 1 for some Afe G . Let E be the multiset of eigenvalues of g. Each eigenvalue 
has the form 

A^Af-.-A^r? (3.48) 

where each A^ G F^ and each jk E {±<, ±(t — 1), ±(2i — 1), 1}. We can easily 
compute E. 

Because each X-j^ may be 1, for each fc = 0, . . . , n — 1 we have Ex^ C E. We 
can determine which X E E can be one of the Afe, since if A = A/j for some k, then 
Ex3t G E. 

Thus we can obtain a list, with length between n and d, of subsets Ex of E. 
Now Conjecture 13 . 501 asserts that there is some n such that E^^ C E, and such 
that the sum of the eigenspaces corresponding to has dimension 7, and by its 
construction it must therefore be a point of W. Since /i* G E, the set i?^ will be on 
our list, and we can easily find the point. 

The algorithm is Las Vegas, since we can easily calculate the dimensions of the 
subspaces. The expected number of random selections for finding 5 is O (log log{q)^ , 
and we can find its order using expected 0(d'^ log((7) loglog(g'')) field operations. 
We find the characteristic polynomial using 0(d'^) field operations and then find the 
eigenvalues using expected 0(d(logd)^ loglog(d) log (dq)) field operations. Finally 
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we use the Algorithm from Section [1.2.10.31 to verify that we have a point, using 
0(^(P log(g)) field operations. The rest of the algorithm is linear algebra, and hence 
the expected time complexity is as stated. □ 

Theorem 3.54. Assume Coniecture Vi.bll There exists a Las Vegas algorithm 
that, given (X) ^ GL{d,q), where q = 32™+!^ 7 \ d, 27 \ d and {X) ^ Ree{q), with 
module W of the form p.45p . finds a point of W . The algorithm has expected time 
complexity 

0{m + dHog{q){\og\og{q'') + \og{df)) 

field operations. 

Proof. Let G = (X). Similarly as in Corollary I3.36[ we find an involution 
j & G and probable generators for GgU)' ■ We can then use Theorem ll.l3l to verify 
that we have got the whole centraliser. 

Using the MeatAxe, we find the composition factors of W\cG{j) - For each pair 
of factors of dimensions 3 and 4 we compute module homomorphisms into M^IcgO) 
and then find the sum of their images. 

Coniecture l3.51l asserts that this will produce a point of W. We can easily calcu- 
late the dimensions of the submodules and use the tensor decomposition algorithm 
to verify that we do obtain a point, so the algorithm is Las Vegas. 

The expected time complexity for finding j is 0(^((i) + d'^ log((7) loglog((7'')) 
field operations. From the proof of Corollary 13 . 361 we see that we can find probable 
generators for Ccij) and verify that we have the whole centraliser using expected 
0(^((i) + rf"^ log(g) loglog((7'')) field operations, if we let e — loglog(g) in Theorem 
11.131 The MeatAxe uses expected 0(d'^) field operations in this case, since the 
number of generators for the centraliser is constant. Then we consider 0(log((i)^) 
pairs of submodules, and for each one we use the tensor decomposition algorithm 
to determine if we have a point, using 0((i'' log(g)) field operations. Hence the 
expected time complexity is as stated. □ 

Theorem 3.55. Assume Conjecture 13.521 and an oracle for the discrete log- 
arithm problem. There exists a Las Vegas algorithm that, given (X) ^ GL((i, g), 
where q = 32™+!^ d ^ 27", n > 1, 2m > n and {X) = Ree{q), with module W of 
the form (j3.45p . finds a point of W . The algorithm has expected time complexity 

0((e(d) + d' \og{q) loglog(g'^)) loglog(g) + log(g)3 + dVo(d) \X\ + dxoiq) + ^d) 

field operations. 

Proof. Let G = {X). Similarly as in Corollary 13.361 we find an involution 
j £ G and probable generators for H = CgO)' — PSL{2,q). We can then use 
Theorem 1 1.1 31 to verify that we have got the whole centraliser. 

Using the MeatAxe, we find the composition factors of W\h- Let be the 
group corresponding to a non-trivial composition factor. Using Theorem 11.121 we 
constructively recognise Si as PSL(2, q) and obtain an effective isomorphism tti : 
PSL(2,g) ^ H. 
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Now let R be the image of the representation corresponding to S, so R ^ 
GL(27, g). Again we find an involution j' g R and probable generators for K = 
Ci^(j')' = PSL(2,g). As above, we chop the module S\k with the MeatAxe, con- 
structively recognise one of its non-trivial factors and obtain an effective isomor- 
phism TT2 : PSL(2, q) K. 

Note that both tti and 7r2 have effective inverses. Hence we can obtain standard 
generators for H and K . For each i = 0, . . . , 2m, do the following: 

(1) Find M = HompsL(2,q)(5'''' \k, W\h) using the standard generators. 

(2) If dim A/ ~ 5, then find random f ^ M such that dimKer/ = 0. Use the 
algorithm in Section ff .2.f 0.31 to determine if [/ = lm(/) is a point. 

From Proposition l3.48l we know that S\k has a submodule of dimension f . This 
implies that that W\h has a submodule U'^. = (vi) (g) • • • (g) (vk-i) iS) S"^ ^ {vk+i) ^ 
•••(g) ^ S"^ , for any k — 0, . . . , n — 1, and some wi, . . . , Vn-i (depending 

on k). Moreover, HompsL(2,g) (5'^'' k, M^Ih) > HompsL(2,,)(^'^'' C/D- and by 
CoroUarv 13.491 the latter has dimension 5. 

But by Conjecture 13. 52( for some i the former also has dimension 5, and hence 
these vector spaces are equal. Therefore, for some i — ik, the subspace U found in 
the algorithm must be equal to U'f., and hence it is a point. 

The expected time complexity for finding the involutions is 

0(C(d) + d3log(g)loglog(<7'^)) 

field operations. From the proof of CoroUarv 13 . 361 we see that we can find probable 
generators for Ccij) and verify that we have the whole centraliser using expected 
0{^{d) + d"^ log(g) loglog((7'^)) field operations, if we let e = \og\og{q) in Theo- 
rem [TTT31 The MeatAxe uses expected 0{d?^ field operations in this case since the 
number of generators are constant. In the loop, we require 0{(P log(g)) field oper- 
ations to verify that [/ is a point. Hence the expected time complexity follows from 
Theorem [TH □ 

Conjectures 13.5(71 and [X5^ do not apply when 2m ^ n, so in this case we need 
another algorithm. Then q G 0(c?) so we are content with an algorithm that has 
time complexity polynomial in q. The approach is not to use tensor decomposition, 
since in this case we have no efficient method of finding a fiat. Instead we find 
standard generators of G using permutation group techniques, then enumerate all 
tensor products of the form (|3.45p . and for each one we determine if it is isomorphic 
to W. 

Lemma 3.56. There exists a Las Vegas algorithm that, given (X) ^ GL((i, q) 
such that q — 32m+i > q I^x) = Yiee{q), finds an effective injective 

homomorphism H : {X) Sym(O) where \0\ — q^ + 1. The algorithm has expected 
time complexity 0(^q'^{£,{d) + \X\d'^ + d^) -|- d'*) field operations. 

Proof. By Proposition 12. 16) Ree((7) acts doubly transitively on a set of size 
q'^ + 1. Hence G = {X) also acts doubly transitively on O, where \0\ = q^ + 1, and 
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we can find the permutation representation of G if we can find a point P <E O. The 
set O is a set of projective points of F^, and the algorithm proceeds as follows. 

(1) Choose random g ^ G. Repeat until |g| | g — 1. 

(2) Choose random x £ G and let h = . Repeat until [g, /i]^ = 1 and 

(3) Find a composition scries for the module M of (5, h) and let P C M be 
the submodule of dimension 1 in the series. 

(4) Find the orbit O — P'^ and compute the permutation group S ^ Sym(O) 
of G on O, together with an effective isomorphism 11 : G — > 5. 

By Proposition [22ll elements in G of order dividing g — 1 fix two points of O, 
and hence (g, h) ^ Gp for some P G O if and only if g and h have a common fixed 
point. All composition factors of M have dimension 1, so a composition series of 
M must contain a submodule P of dimension 1. This submodule is a fixed point 
for {g,h), and its orbit must have size + 1, since \G\ = q'^{q'^ + l){q ~ 1) and 
\Gp\ = q^{q - 1). It follows that P e O. 

All elements of G of order a power of 3 lie in the derived group of a stabiliser 
of some point, which is also a Sylow 3-subgroup of G, and the exponent of this 
subgroup is 9. Hence [g, h]^ = 1 if and only if {g, h) lie in a stabiliser of some point, 
if and only if g and h have a common fixed point. 

To find the orbit O — P'^ we can compute a Schreier tree on the generators in 
X with P as root, using 0(|X| \0\ d^) field operations. Then Il{g) can be computed 
for any g € (X) using 0(|0| (P) field operations, by computing the permutation on 
O induced by g. Hence H is effective, and its image S is found by computing the 
image of each element of X. Therefore the algorithm is correct and it is clearly Las 
Vegas. 

We find g using expected 0((^(d) + log(g) log log((;'^)) log log(q)) field op- 
erations and we find h using expected 0((^((i) + 6?')q^) field operations. Then P 
is found using the Meat Axe, in expected 0(d*) field operations. Thus the result 
follows. □ 

Conjecture 3.57. Let G = (X) s; Sym(O) such that G ^ Rcc(q) = H. There 
exists a Las Vegas algorithm that finds x, h, z Cz G as SLPs in X such that the map 

a; 5(1, 0,0) (3.49) 
h^h{\) (3.50) 
z^T (3.51) 

is an isomorphism. Its time complexity is O (^q^ {\og{q))'^) field operations. The length 
of the returned SLPs are 0(^q'^ loglog((3')) . 

Remark 3.58. There exists an implementation of the above mentioned algo- 
rithm, and the Conjecture is then it always produces a correct result and has the 
stated complexity. 



3.2. SMALL REE GROUPS 



90 



Theorem 3.59. Assume Conjecture 13.571 There exists a Las Vegas algorithm 
that, given {X) GL{d,q), where q = n > 1 and d = 7" or d ^ 27" 

and (X) = Ree((7), with module W of the form (|3.45|1 . finds a tensor decomposi- 
tion of W. The algorithm has time complexity 0[q^{^{d) + \X\ d^ + d^ loglog(g) + 
g2(log(g))4) +d^i\X\ + d)) field operations. 

Proof. Let G = {X). The algorithm proceeds as foUows: 

(1) Find permutation representation tt : G ^ Gs ^ Sym((7'^ + 1) using Lemma 

Km 

(2) Find standard generators x,h,z £ G using Coniecture l3.57l Evaluate them 
on G to obtain a generating set Y. 

(3) Let H = (Y) and let V be the module of i7. If 3 | d then replace V with 
S. 

(4) Construct each module of dimension d of the form p.45p using V as base. 
For each one test if it is isomorphic to W, using the MeatAxe. 

(5) Return the change of basis from the successful isomorphism test. 

The returned change of basis exhibits as a tensor product, so by Lemma 
13.561 the algorithm is Las Vegas. 

The lengths of the SLPs of x, h, z is 0((7'^ loglog((7)), so we need 0(d'^(7'' loglog((7)) 
field operations to obtain Y . The number of modules of dimension d of the form 
(|3.45p using V as base is (^^i). Module isomorphism testing uses 0(|X|d^) field 
operations. Hence by Conjecture 13.571 and Lemma 13.561 the time complexity of the 
algorithm is as stated. □ 

3.2.6. Symmetric square decomposition. The two basic irreducible mod- 
ules of Ree((7) are the natural module V of dimension 7, and an irreducible submod- 
ule S of the symmetric square S^iy ). The symmetric square itself is not irreducible, 
since Ree((7) preserves a quadratic form, and therefore has a submodule of di- 

mension 1. The complement of this has dimension 27 and is the irreducible module 
S. 

Conjecture 3.60. The exterior square of S has a submodule isomorphic to a 
twisted version of V . 

Theorem 3.61. Assume Conjecture 13.601 There exists a Las Vegas algorithm 
that, given (X) ^ GL(27, q) with module W such that W is isomorphic to a twisted 
version of S, finds an effective isomorphism from (X) to Ree(g)^ for some g € 
GL(7, g). The algorithm has expected time complexity 0(|X|) field operations. 

Proof. Using Conjecture 13.601 this is just an application of the MeatAxe. 
We construct the exterior square /\^{W) of VF, which has dimension 351, and find 
a composition series of this module using the MeatAxe. By the Conjecture, the 
natural module of dimension 7 will be one of the composition factors and the 
MeatAxe will provide an effective isomorphism to this factor, in the form of a 
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change of basis A e GL{27,q) of W that exhibits the action on the composition 
factors. 

This induces an isomorphism (p : (X) H, where H is conjugate to Ree(g'). 
For g e {X), ip{g) is computed by taking a submatrix of of degree 7. Clearly ip 
can be computed using 0(l) field operations. 

Since the Meat Axe is Las Vegas and has expected time complexity 0(|X|), the 
result follows. □ 

3.2.7. Constructive recognition. Finally, we can now state and prove our 
main theorem. 

Theorem 3.62. Assume the small Ree Conjectures, and an oracle for the 
discrete logarithm problem in ¥q. There exists a Las Vegas algorithm that, given 
{X) ^ Gh{d,q) satisfying the assumptions in Section \1.2.7[ with q = S^™"*"^, to > 
and {X) Ree(g), finds an effective isomorphism ip : {X) — > Rcc(q) and per- 
forms preprocessing for constructive membership testing. The algorithm has ex- 
pected time complexity 0{£_{d){d^ + (loglog(q))^) + d^loglog(d) + d^ao{d) \X\ + 
log(g) log log(g) log log(g'') + \og{qf log \og{q) + xd (q) {d + log log(g))) field oper- 
ations. 

Each image of (p can be computed in 0((i^) field operations, and each pre-image 
in expected 0(^(d) + log{q)^ + d'^(log(g) loglog(q))^) field operations. 

Proof. Let W be the module of G = {X). The algorithm proceeds as follows: 

(1) If d = 7 then use Theorem [Ofl to obtain y e GL(7, g) such that = 
Ree(g), and hence an eff'ective isomorphism ip : G ^ Ree(g) defined by 
9 9^- 

(2) If 3 I cZ then d = 7" for some n > 1. If 2to > n then use Theorem 13.531 
to find a flat L ^ M. If 3 | d but d is not a proper power of 27 then use 
Theorem 13.541 to find such an L. Otherwise d = 27" for some n > 1. If 
2to > n, then use Theorem l3.55l to find a flat L ^ M. 

(3) Use the tensor decomposition algorithm described in Section fl.2.10.3l with 
L, to obtain x E GL{d, q) such the change of basis determined by x exhibits 
W as a tensor product Aig) B, with dim A = 7 or dim A = 27. If d = 7" 
OT d = 27" and 2to ^ n then use Theorem 13. 591 to find x. Let Ga and Gb 
be the images of the corresponding representations. 

(4) Define pA ■ Ga®b Ga as 9a®9b^ Qa and let Y = {pA(g^) | 9 e X}. 
If dim A = 27 then let 6 be the effective isomorphism from Theorem [3211 
otherwise let be the identity map. 

(5) Let Z = {9{x) I X e Y}. Then {Z) is conjugate to Ree(g). Use Theorem 
ElZlto obtain y e GL(7, q) such that {Zf = Ree{q). 

(6) An effective isomorphism ip : G ^ Ree(g) is given by g t-^ 6{pA{g^)Y ■ 
The map pA is straightforward to compute, since given g S GL((i, q) it only involves 
dividing g into submatrices of degree d/7 or d/27, checking that they are scalar 
multiples of each other and returning the 7 x 7 or 27 x 27 matrix consisting of these 
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scalars. Since x might not lie in G, but only in '^^Gi.{d,q){G) = G:¥q, the result of pA 
might not have determinant 1. However, since every element of Fg has a unique 7th 
root, we can easily scale the matrix to have determinant 1. Hence by Theorem l3.53l 
Theorem KM\ Theorem Section ll.2.10.3| Theorem IXFTl and Theorem 

the algorithm is Las Vegas, and ip can be computed using 0((i'^) field operations. 

In the case where we use Theorem 13.591 we have 2rn ^ n and hence q < 3d. We 
see that (^™^) < n, and the time complexity of the algorithm to find x, in Theorem 
simplifies to 0{d^{^{d) + \X\ d^ + d^ loglog(d))). 

In the other cases, finding L uses 0((^(d) + d"^ log((7) log log((7'^)) log log(g) + 
d^tTo(c?) \X\ + dxoiq) + £,{d)d) field operations. From Section [1.2.10.31 finding a; 
uses 0(c?'^ \og{q)) field operations when a flat L is given. 

From Theorem 13 . 6 1 1 finding 9 uses 0(|F|) field operations, and from Theorem 
13.471 finding y uses O ( (d) log log(g) + log(g) ^ + (g) ) log log(g) + 1 Z | ) field opera- 
tions. Hence the expected time complexity is as stated. Finally, ip~^{g) is computed 
by first using Algorithm 13.61 to obtain an SLP of g and then evaluating it on X. 
The necessary precomputations in Theorem 13.401 have already been made during 
the application of Theorem I3.47[ and hence it follows from Theorem 13.421 that the 
time complexity for computing the pre-image of g is as stated. □ 

3.3. Big Ree groups 

Here we will use the notation from Section 12.31 We will refer to Conjectures 
[OTi [2381 1231 12:401 \2AT\ 12:421 12:451 [236] and [3Jl simultaneously as the Big Ree 

Conjectures. 

With the Big Ree groups, we will only deal with the natural representation, 
the last case in Section II. 2.71 We will not attempt any tensor decomposition, or 
decomposition of the tensor indccomposables listed in Section 12.3.21 This can be 
partly justified by the fact that at the present time the only representation, other 
than the one of dimension 26, that it is within practical limits in the MGRP, is 
the one of dimension 246. We have some evidence that it is feasible to decompose 
this representation into the natural representation using the technique known as 
condensation, see jHEO05l Section 7.4.5] and [LW98| . 

The main constructive recognition theorem is Theorem 13.791 

3.3.1. Recognition. We now consider the question of non-constructive recog- 
nition of ^F4{q), so we want to find an algorithm that, given a set {X) ^ GL(26, q), 
decides whether or not {X) = '^F4{q). 

Theorem 3.63. There exists a Las Vegas algorithm that, given {X) ^ GL(26, q), 
decides whether or not (X) = ^F4(q). The algorithm has expected time complexity 
0[ao{\og{q)){\X\ + \og{q))) field operations. 

Proof. Let G — ^F4{q), with natural module M. The algorithm proceeds as 
follows: 
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(1) Determine ii X C G and return false if not. All the following steps must 
succeed in order to conclude that a given g G X also lies in G. 

(a) Determine if 5 G 0^(26, q), which is true if detg — 1 and if gQg^ = 
Q, where Q is the matrix corresponding to the quadratic form Q* 
and where denotes the transpose of g. 

(b) Determine if g € F4(g), which is true if g preserves the exceptional 
Jordan algebra multiplication. This is easy using the multiplication 
table given in [WirOS) . 

(c) Determine if (7 is a fixed point of the automorphism of F4 (q) which 
defines ^F4(q). By |Wil06| . computing the automorphism amounts 
to taking a submatrix of the exterior square of g and then replacing 
each matrix entry x hy x"^ . 

(2) If {X) is not a proper subgroup of G, or equivalently if {X) is not con- 
tained in a maximal subgroup, return true. Otherwise return false. By 
Proposition [133 it is sufficient to determine if {X) cannot be written over 
a smaller field and if {X) is irreducible. This can be done using the Las 
Vegas algorithms from Sections II. 2. 10. II and II. 2. 10. 21 

Since the matrix degree is constant, the complexity of the first step of the 
algorithm is 0(l) field operations. For the same reason, the complexity of the 
algorithms from Sections 010 and [L2in21 is 0{aoi\og{q)){\X\ + log(g))) field 
operations. Hence the expected time complexity is as stated. □ 

3.3.2. Finding elements of even order. In constructive recognition and 
membership testing of ^F^i^q), the essential problem is to find elements of even 
order, as SLPs in the given generators. Let G = '^F4{q) = {X). We begin with an 
overview of the method. The matrix degree is constant here, so we set ^ = £,{26). 

Choose random a G G of order q ~ 1, by choosing a random element of order 
{q ~ l){q + t + 1) and powering up. By Proposition 12.331 it is easy to find such 
elements, and by Proposition 12.321 we can diagonalise a and obtain c e GL(26,<7) 
such that a'^ = S = h{\, /i) for some A, /i G . 

Now choose random b E G. Let B — V^ and let A(u, v) be a diagonal matrix of 
the same form as ft.(A,/i), where A and are replaced by indeterminates u and u, 
so A{u, v) is a matrix over the function field ¥q{u, v). 

For any r, s G , such that r* — s, the matrix {A{r, s)BY ^ G (a) b. Hence by 
Conjecture 12.451 if we can find r, s such that ~ s and A{r, s)B has the eigenvalue 
1 with multiplicity 6, then with high probability A{r, s)B will have even order. 

Proposition 3.64. Assume Coniecture \2A7\ For every b e G \ Nciia)) the 6 
lowest coefficients /i, . . . , /g G Fq[M, v] of the characteristic polynomial of A(u, v)B^ 
I26 generate a zero- dimensional ideal. 

Proof. Since b does not normalise (a), by Conjecture 12.471 there must be a 
bounded number of solutions. Hence the system must be zero-dimensional. □ 
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Finally we can solve the discrete logarithm problem and find an integer k such 
that 6'^ = A{r, s). Then has even order, and therefore also a''b has even order. 
Since a and b are random, we obtain an element of even order as an SLP in X. The 
algorithm for finding elements of even order is given formally as Algorithm 13.71 

Lemma 3.65. Assume Conjecture \2A7\ There exists a Las Vegas algorithm that, 
given the matrices A{u, v) and B , finds r, s G such that r* = s and A(r, s)B 
has 1 as an eigenvalue of multiplicity at least 6. The algorithm has expected time 
complexity 0{\ogq) field operations. 

Proof. If we can find the characteristic polynomial f{x) E ¥q{u,v)[x] of 
A{u, v)B, then the condition we want to impose is that 1 should be a root of 
multiplicity 6, or equivalently that should divide g{y) ^ f{y + 

Hence we obtain 6 polynomial equations in u and v of bounded degree. By 
Proposition 13. 641 we can use Theorem 11.21 to find the possible values for r and s. 

Thus it only remains to find /(x), which has the form 

f{x) — a„a;" + • • • + aix + oq (3.52) 

where Oi G Fg(w, v) and ^ i ^ n ^ 26. Recall that A{u, v) is diagonal of the same 
form as h{X, /i). This implies that in an echelon form of A{u, v)B, the diagonal has 
the form A{u,v)D for some diagonal matrix D G GL(26,q). We obtain f{x) by 
multiplying these diagonal elements, and since the sum of the positive powers of u 
on the diagonal is 10, and the sum of the positive powers of v on the diagonal is 6, 
each Oi has the form 

a, = ^Cy-M^-^u^'^ (3.53) 
j 

where each aj G F^, — 10 ^ ^ 10 and — 6 < Wij ^ 6. 

Because of these bounds on the exponents Zij and Wij , we can find the coeffi- 
cients Cij, and hence the coefficients and f{x), using interpolation. Each Cij is 
uniquely determined by at most (2 • 10 + 1)(2 • 6 + 1) = 273 values of u, v and the 
corresponding value of Oi . 

Therefore, choose 273 random pairs (e^, fk) G Fg x ¥q. For each pair, calculate 
the characteristic polynomial ofA{ek, fk)B, thus obtaining the corresponding values 
of the coefficients a^. Finally perform the interpolation by solving n linear systems 
with 273 equations and variables. 

It is clear that the algorithm is Las Vegas, and the dominating term in the 
time complexity is the root finding of univariate polynomials of bounded degree 
over ¥q. □ 

Lemma 3.66. Assume Conjectures \2AG\ and U^TTl Let a G G be such that \a\ = 
q — 1 and a is conjugate to some h{X, fi) with — fi G ¥^ . The proportion of 
b G G \ NG((a)), such that (a) b contains an element with 1 as an eigenvalue of 
multiplicity 6, is bounded below by a constant C4 > 0. 
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Proof. Given such a coset (a) b, from the proof of Lemma f3.65l we see that 
our algorithm constructs a bounded number c?i of candidates of elements of the 
required type in the coset. 

Let c be the number of cosets containing an element of the required type. By 
Coniecturc l2.461 the total number of elements of the required type is C3 \G\. Hence c 
is minimised if all the c cosets contain di such elements, in which case cdi = C3\G\. 
Thus c ^ C3 \G\ /di and the proportion of cosets is c{q — 1)/ \G\ > c^lq — 
which is bounded below by a constant C4 > since C3 G 0(l/q). □ 

Theorem 3.67. Assume Conjectures 12.471 [2.461 anri 12.451 and an oracle for 
the discrete logarithm problem in Fg. Alaorithm \3.7\ is a Las Vegas algorithm with 
expected time complexity 0((^+log(g) log log((j)+XD('z)) loglog(g)) field operations. 
The length of the returned SLP is 0(loglog((7)) . 

Proof. By Proposition l2.32( a is conjugate to some h{X, ^) and by Proposition 
12. 33^ we can find h using expected 0(^ loglog(9)) field operations. The test at line 
1151 is easy since b either centralises or inverts a. Furthermore, by Lemma 13.661 the 
test at line [T71 will succeed with high probability and by Conjecture 12.451 the test 
at line flQl will succeed with high probability. The test at line [21] can only fail if |a| 
is a proper divisor of 9 — 1, which happens with low probability. 

Hence by Lemma [3.651 the algorithm is Las Vegas and the time complexity is 
as stated. Clearly, the length of the SLP of the returned element is the same as the 
length of the SLP of h. □ 

Algorithm 13.71 FindEvenOrderElement(X) 

1 Input: (X) < GL(26, q) such that (X) ^ ^Fi{q). 

2 Output: An element of {X) of even order, expressed as an SLP in X. 

3 // FindElementInCoset is given by Lemma \3^65\ 

4 repeat 



5 repeat 

6 h:= Random((A)) 

7 until \h\\iq-l)iq + t+l) 

8 a := 

9 (5, c := DiAGONALiSE(a) 

10 // Now a= = (5 = h{X, fi) where X, fi e ¥^ and = A* 

11 repeat 

12 repeat 

13 repeat 

14 6 := Random((X)) 

15 until 6 ^ Ng ((a)) 

16 {flag,r,s) := FindElementInCoset(6'^) 

17 until flag 

18 // Now r*' — s and A{r, s)b'^ has 1 as a 6-fold eigenvalue 

19 until |^(r, 5)6"^! is even 

20 fc := DlSCRETELOG((52,2,r) 

21 until fc > 



22 return a^b 
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Remark 3.68. If we are given g e {X) = ^F4(g), then a trivial modification 
of Algorithm 13.71 finds an element of {X), of even order, of the form hg for some 
h G {X). If we also have an SLP of g in X, then we will obtain hg as SLP, otherwise 
we will only obtain an SLP for h. 

Proposition 3.69. Assume Coniecture \2Ab\ With probability 1 — 0(l/q), the 
element returned by Alaorithm \3.7\ powers up to an involution of class 2 A. 

Proof. Follows immediately from Conjecture 12.451 □ 

3.3.3. Constructive membership testing. The overall method we use for 
constructive membership testing in ^F4(q) is the Ryba algorithm described in Sec- 
tion [LMH 

Since we know that there are only two conjugacy classes of involutions in ^F4{q), 
and since we know the structure of their centralisers, we can improve upon the basic 
Ryba algorithm. When solving constructive membership testing in the centralisers, 
instead of applying the Ryba algorithm recursively, we can do it in a more direct 
way using Theorem 11.121 and the algorithms for constructive membership testing 
in the Suzuki group, described in Section [3. II Involutions of class 2 A can be found 
using Algorithm 13. 7^ and Conjecture 12.401 give us a method for finding involutions 
of class 2B using random search. The Ryba algorithm needs to find involutions of 
both classes, since it needs to find two involutions whose product has even order. 

As a preprocessing step to Ryba, we can therefore find an involution of each 
class and compute their centralisers. In each call to Ryba we then conjugate the 
involutions that we find to one of these two involutions, which removes the necessity 
of computing involution centralisers at each call. 

3.3.3.1. The involution centralisers. We use the Bray algorithm to find gen- 
erating sets for the involution centralisers. This algorithm is described in Section 

The following results show how to precompute generators and how to solve 
the constructive membership problem for a centraliser of an involution of class 2A, 
using our Suzuki group algorithms to constructively recognise Sz{q). Analogous 
results hold for the centraliser of an involution of class 2B, using Theorem II. 121 to 
constructively recognise SL(2, q). 

Lemma 3.70. Assume Conjecture 12.391 and use its notation. There exists a 
Las Vegas algorithm that, given (Y) ^ G ^ GL(26, g) such that G ^ ^F4(g), 
S ^ (Y) ^ CgU) for an involution j £ G of class 2A and S ^ Sz{q), finds 
a composition series for the natural module M of (Y) such that the composition 
factors are ordered as 1, S'4, 1, 6*4, 1, Sf , 1, 6*4, 1, 6*4, 1, and finds the corresponding 
filtration of 02{(Y)). The algorithm has time complexity 0(|y|) field operations. 

Proof. By Proposition l2.39l the composition factors are as stated, and we just 
have to order them correctly. 
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(1) Find a composition factor of Fi of M, such that dimi^i — 1, and find 
Hi — Hom^y^(M, Fi). By Coniecture l2.391 M has a unique 1-dimensional 
submodule, so dim Hi — 1. 

(2) Let M25 = Kerai where (ai) = Hi. Then dimAf25 25. 

(3) Let Ml = Af^ n A/25 be the orthogonal complement under the bilinear 
form preserved by G, so that dim A/i = 1 . 

(4) Find a composition factor of F4 of Af25, such that dimi^4 ~ 4, and 
find H4 — Hom(Y)(Af25, i^4). By Conjecture 12.391 -^25 has a unique 4- 
dimensional submodule, so dim H4 = 1 for one of its 5 composition factors 
of dimension 4. 

(5) Let Af2i = KerQ;4 where (04) = H4. Then dim A/21 = 21. 

(6) Let A/5 = A/^ n A/21 be the orthogonal complement under the bilinear 
form preserved by G, so that dim A/5 = 5. 

(7) Now we have four proper submodules A/i, A/5, A/21, A/25 in the composi- 
tion series that we want to find, and we can obtain the other submodules 
by continuing in the same way inside A/2i- 

The filtration is determined by the composition factors, and immediately found. 
Clearly the time complexity is the same as the Meat Axe, which is 0(|F|) field 
operations. □ 

Lemma 3.71. Assume the Suzuki Conjectures, Coniectures \2.'S7\ 12.381 [2.391 and 
12.401 and an oracle for the discrete logarithm problem in ¥q. There exists a Monte 
Carlo algorithm with no false positives that, given (Y) ^ G ^ GL(26, q) such that 
G = '^F4{q), 5* < (r) CgU) and ZiCcU)) {Y), where j e G is an involution 
of class 2 A and S = Sz{q): 

• decides whether or not (Y) — Ccij), 

• finds effective homomorphisms ip : (Y) ^ Sz{q) and tt : Sz(q) — s- (Y), 

• finds u ^ G such that \u\ \ q — 1, Goij) < {Y,u) and {Y,u) is contained 
in a maximal parabolic in G, 

• finds {Z) ^ G such that {Z) = 02(CG(i)), and \Z\ e 0(log(g)). 

The algorithm has expected time complexity 

0{\Y\ + \og{qf + (e + XD{qmog\og{q)f) 

field operations. 

Proof. The algorithm proceeds as follows: 

(1) Find a composition series of the natural module of (y), as in Lemma [3.701 
By projecting to the middle composition factor we obtain an effective 
surjective homomorphism Lpi : (Y) — > 5*4 where S4 ^ GL(4, g) and S4 = 
Sz(g). Also obtain an effective surjective homomorphism p : 02{(Y)) 
N, where N is the first non-zero block in the filtration of 02{{Y)) {i.e. N 
is a vector space). By Conjecture 12.401 dimiV ~ 4. 
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(2) Use Theorem 13.261 to constructively recognise (pi{{Y)) and obtain an ef- 
fective injective homomorphism tt : Sz(g) (Y), and an effective isomor- 
phism ip2 : S4 Sz{q). Now (p — ip2 o (fii- 

(3) Find random g £ (Y) such that \g\ — 21. By Proposition 12.341 the pro- 
portion of such elements is high. Repeat until = j' is of class 2A and 
j' 7^ j, which by Conjecture 12.371 happens with high probability. 

(4) Using the dihedral trick, find h £ G such that j'' = /, \h\ \ q — 1 and 
{Y, h) is reducible. By Conjecture 12.381 these elements are easy to find. 

(5) Let u = h{{TT o (p)[h))^^, so that u commutes with S. Now (CG(j),u) is 
contained in a maximal parabolic, and CgO) is a proper subgroup, since 
u ^ CgU), but {Y,u) is reducible and hence a proper subgroup of G. 

(6) Diagonalise u to obtain ?(a, 6) for some a, 6 G . Repeat the two previous 
steps (find another h) if a or 6 lie in a proper subfield of F^. The probability 
that this happens is low, since \h\ = q — 1 with high probability. 

(7) Find random 7/1,..., ?/4 g (Y), and let Xi — yi{{n o if){yi))^^ for i = 
1, . . . , 4. Then a;i, . . . , X4 are random elements of 02{(Y)). Return false 
if p{xi), . . . , p{x4) are not linearly independent elements of N , since then 
with high probability (Y) < Cg(j)- Clearly, if the elements are linearly 
independent, then (Y) = CgO) so the algorithm has no false positives. 

(8) Find random x £ (Y) such that |a;| = 4fc. By Conjecture 12.371 with high 
probability X5 = x'' £ 02{{Y)) and xf £ Z{{Y)). Repeat until this is true. 

(9) Finally let 

2m+l 5 
i=0 ] = 1 

Clearly, the dominating term in the running time is Theorem 13.261 and the 
computation of tt, so the expected time complexity is as stated. □ 

Lemma 3.72. Assume the Suzuki Conjectures, Com'ecfares 12.38] 12.391 awc? l2.40l 
and an oracle for the discrete logarithm problem in ¥q. There exists a Las Vegas 
algorithm that, given G — (X) — ^F4(q) and an involution j £ (X) of class 2 A, as 
an SLP in X of length O (rij , 

• finds (Y) < G such that (Y) = CgO'), 

• finds effective inverse isomorphisms ip : (Y) — > Sz(q) and?: : Sz{q) —>■ (Y) , 

• finds u £ G such that \u\ \ q — 1, Qcij) < {Y,u) and (Y,u) is contained 
in a maximal parabolic in G, 

• finds {Z) < G such that {Z) = 02(CG(i)), and \Z\ £ 0(log(g)). 

The elements Y,Z,u are found as SLPs in X of length 0(n). The algorithm has 
expected time complexity 0(|F|-f log((7)'^ + (^ + XD(g))(loglog(g))^) field operations. 

Proof. The algorithm proceeds as follows: 

(1) Use the Bray algorithm to find probable generators Y for CgIj)- 

(2) Use the MeatAxe to split up the module of (Y) and verify that it splits up 
as in Conjecture 12.391 Use Theorem 13.31 to verify that the groups acting 
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on the 4-dimensional submodules are Suzuki groups. Return to the first 
step if not. It then follows from Proposition 12.341 that Z(CG(j)) ^ {y)- 
(3) Use Lemma [3.711 to determine if {Y) — CgU)- Return to the first step if 
not. Since the algorithm of Lemma [3.711 has no false positives, this is Las 
Vegas. 

By Proposition [21331 0(l) elements is sufficient to generate CgU) with high prob- 
ability, so the expected time complexity is as stated, and the elements of Y will be 
found as SLPs of the same length as j. 

From Lemma 13.711 we also obtain u, Z, (p and tt as needed. We see from its 
proof that u and Z will be found as SLPs of the same length as j. □ 

Lemma 3.73. There exists a Las Vegas algorithm that, given 

• (Y) ,{Z) i:G = {X) = ^Fi{q) such that (Y) = GgU) and (Z) = 02((r)) 
where j ^ G is an involution of class 2 A and Y, Z are given as SLPs in X 
of length O (n) , 

• an effective surjective homomorphism ip : (Y) Sz(g), 

• an effective injective homomorphism n : Sz{q) — )■ (Y) , 
. .9 6 GL(26,g), 

decides whether or not g G (Y) and if so returns an SLP of g in X of length 
0(n(log(q')(loglog(g))^ + |2^|)). The algorithm has expected time complexity 0(^-|- 
log(g)^ + |Z|) field operations. 

Proof. Note that ^ consists of a change of basis followed by a projection to a 
submatrix, and hence can be applied to any element of GL(26, g) using 0(l) field 
operations. 

(1) Use Algorithm 13.21 to express (p{g) in the generators of Sz(g), or return 
false if Lp{g) ^ Sz{q). Hence we obtain an SLP for (tt o (p){g) in Y, of 
length 0(log(q)(loglog(g))2). 

(2) Now h ~ g{{TT o ip){g))^^ E (Z). Using the elements of Z, we can apply 
row reduction to h, and hence obtain an SLP for /i in Z of length 0(|Z|). 
Return false if h is not reduced to the identity matrix using Z. 

(3) Since Y and Z are SLPs in X, in time 0(log(g)(loglog(g))^) we obtain an 
SLP for g in X, of the specified length. 

The expected time complexity then follows from Theorem 13. 131 □ 

We are now ready to state our modified Ryba algorithm, which assumes that 
the precomputations given by the above results have been done. 

Theorem 3.74. Assume Conjectures \'2A0\ ITISl 12.461 awd 13.64) and an oracle 
for the discrete logarithm problem in ¥q. Algorithm 13.81 is a Las Vegas algorithm 
with expected time complexity 0{^{£_+XD{q))^og\og{q) + \og{q)^ + \Za\ + \Zb\) field 
operations. The length of the returnedSLP is 0(n(log(g)(loglog(q))^ + |Z^| + |ZB|)) 
where n is the length of the SLPs for Xa, Xb, Za, Zb in X . 
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Algorithm [S^D Ryba{X, g, Xa, Xb) 

1 Input: (X) < GL(26,g) such that {X) = ^F^iq), g e GL(26,g). 
Involution centrahsers {Xa) , {Xb) ^ {X) for involutions ja^Jb G {X) 
of class 2A and 2B, respectively. Effective surjective homomorphisms 

ipA '■ {Xa) Sz(5), ipB ■ {Xb) SL(2,g). Effective injective homomorphisms 
TTA : Sz(g) ^ {Xa), ttb : SL(2,g) ^ (Xb) and Za Q {Xa), Zb Q {Xb) 
such that {Za) = 02((Xa)) and {Zb) = 02((Xb)). 

2 Output: If 5 e {X), TRUE and an SLP of g in X, otherwise false. 
// FindEvenOrderElement is given by Remark [3.681 

3 Use Theorem 13.631 to determine if g G {X) and return false if not. 

4 repeat 



5 := FindEvenOrderElement(X, 5) 

6 Let Wh be the SLP returned for h. 

7 Let z be an involution obtained from h by powering up. 

8 until z is of class 2A. 



9 Find random involution x e {Za) of class 2B. 

10 Let y be an involution obtained from xz by powering up. 

11 Find c e (X) as SLP in X, such that x'' = js- 

12 Let be an SLP for y'^ in X 

13 if y is of class 2A 

then 

14 Find c G (X) as SLP in X, such that y" = Ja- Let F := Xa- 
else 

15 Find c e (X> as SLP in X, such that y'^ = Jb- Let y := Xb- 
end 

16 Let Wz be an SLP for z'^ in X. 

17 Find c G (X) as SLP in X, such that z'' = jA- 

18 Let w/ig be an SLP for h'^ in X. 

19 Let := w~j^^Whg be an SLP for g in X. 

20 return true, Wg 

Proof. By Theorem [3211 the length of Wh is 0(loglog(g)). By Remark [3^ 
h — hig and Wh is an SLP for hi. 

Then z is found using Proposition 11.41 and by Proposition 13.691 it is of class 
2A with high probability. By Proposition I2.34[ the class can be determined by 
computing the Jordan form. 

By Conjecture 12.401 x will have class 2B with high probability, and then xz 
has even order by Proposition 12 . 341 Again we use Proposition II .41 to find y. 

Using the dihedral trick, we find c. Note that c will be found as an SLP of 
length 0(n), since we have an SLP for x, and we can assume that the SLP for Jb 
has length 0(n). Now {x,z) is dihedral with central involution y, so y'^ E {Xb)- 
Using the SL(2, q) version of Lemma [3.731 we find Wy using 0(^ + \og{q)^ + \Zb\) 
field operations, and Wy has length 0(n(log((7)(loglog((7))^ + 

The next c is again found using the dihedral trick, and comes as an SLP of the 
same length as Wy- Then z'^ G {Y) since y is central in {x,z). Hence we again use 
Lemma [5.731 (or its SL(2, q) version) to obtain Wz, with the same length as Wy (or 
with Zb replaced by Za)- 
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Finally, h clearly centralises z, and we now have an SLP for z, so we obtain 
another c as SLP in X, and use Lemma [3.731 to obtain an SLP for h'^. Hence we 
obtain Wgh, which is an SLP for h, and finally an SLP Wg for g. Since Wh has length 
0(loglog((7)) , the length of Wg is as specified. 

The expected time complexity follows from Theorem 13.671 Lemma 13.731 and 
Proposition 1 1.41 □ 



3.3.4. Conjugates of the standard copy. We now consider the situation 
where we are given {X) < GL(26, g), such that {X) = ^F4{q), so that {X) is a 
conjugate of ^F4(g), and the problem is to find g G GL{26,q), such that {X}^ = 
'F4(g). 

Lemma 3.75. Assume Coniectures \2.'S9]\2A0\ and \'2. 4:1\ There exists a Las Vegas 
algorithm that, given 

• G = (X) s$ GL(26,g) such that {X) ^ ^Fi{q), 

• (Y) ^ {X) such that (Y) = Ccij) for some involution j Cz G of class 2 A, 

• g G {X) such that \g\ \q — 1, {g) H (Y) = (1) and P ~ {Y, g) is contained 
in a maximal parabolic in (X) , 

finds (Z) < {Y,g) such that (Z) = Cp{g) = Sz{q) x Cg_i and (W) ^ (Z) such that 
(W) - Sz{q). 

The expected time complexity is 0(CTo(log(g)) log(g)) field operations. IfY and 
g are given as SLPs in X of length 0{n) , then Z and W will be returned as SLPs 
in X , also of length 0(n) . 

Proof. By Conjecture [131 we have (Y) = [q^^]: Sz{q) . Since (g) n (Y) = (1), 
it follows from Proposition 12.341 that (g) lies in the cyclic group Cg_i on top of 
P. Then g acts fixed-point freely on 02{P) and hence Cp{g) = Sz{q) x Cg_i and 
Cp(g)' - Sz{q). 

The algorithm proceeds as follows: 

(1) Choose random qq £ P and use Corollary [TTTT] to find bi, such that ai = 
b^^ao centralises g modulo $(02 (-P)). 

(2) Use Corollary [TTTT] to find 62, such that ci = 6^^ai centralises g modulo 
$($(02(P))). By Conjecture [1301 $($(02(P))) - (1), so a G Cpig). 
Similarly find C2 G Cp{g). 

(3) Now Z = {g,ci,C2} satisfies (Z) ^ Cp{g), so find probable generators 
W for (Z)'. Clearly, (Z) = Cp{g) if and only if (W) ^ Sz{q). Use the 
MeatAxe to split up the module for (W) and verify that it has the struc- 
ture given by Conjecture 12.411 Return to the first step if not. 

(4) From the 4-dimensional submodules, we obtain an image W4 of W in 
GL(4, (7). Use Theorem 13.31 to determine if {W4) = Sz(g). Return to the 
first step if not. 
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By Proposition 12. 12[ two random elements generate Sz{q) with high probabil- 
ity, so the probability that {Z)' = Sz{q) is also high. Hence by Theorem 13.31 the 
expected time complexity is as stated. □ 

Lemma 3.76. Assume the Suzuki Conjectures, the Big Ree Conjectures and an 
oracle for the discrete logarithm problem in Fg . There exists a Las Vegas algorithm 
that, given {X) ^ GL(26,g) such that (X) ^ '^Fi{q), finds (Y) < {X) and g G {X) 
such that {¥) = Sz{q) and {Y, g) = Sz(q) I C2- The elements of Y are expressed 
as SLPs in X of length O (log log ((7)); g is expressed as an SLP in X of length 
0((loglog((7))^) . The algorithm has expected time complexity 0(\X\ + \og{q)^ + 
{£. + XD{q)){loglog{q) f) field operations. 

Proof. The idea is to first find one copy of Sz{q) by finding a centraliser of 
an involution of class 2 A, which has structure [q^^]: Sz{q) , then use the Formula 
to find the Sz(g) inside this. Next we find a maximal parabolic inside this Sz(g) 
and use the dihedral trick and the Formula to conjugate it back to our involution 
centraliser. The conjugating element together with the Sz(g) will generate a copy 
of Sz(g);C2. 

The algorithm proceeds as follows: 

(1) Use Algorithm 13. 71 to find an element of even order and then use Proposi- 
tion [T^ to find an involution j E {X). Repeat until j is of class 2 A, which 
by Proposition 13 . 691 happens with high probability. 

(2) Use LemmaETDto find (C) ^ (X) and yi S {X) such that (C) = Ccij), 
1 2/1 1 I q — 1, yi ^ CgO) and (C, yi) is contained in a maximal parabolic in 
{X). 

(3) Use Lemma [3J5] to find (Y) (C,yi) such that (Y) ^ Sz{q) and (Y) 
commutes with yi. 

(4) Use the Meat Axe to split up the module of (Y). By Conjecture 12.411 we 
obtain 4-dimensional submodules, and hence a homomorphism p : (Y) — > 
GL(4, q). 

(5) Use Theorem 13. II to find an effective isomorphism ip : p{{Y)) — > Sz{q). 

(6) Use the first steps of the proof of Theorem l3.12l to find a' , 2/3 G p{{Y)), as 
SLPs in the generators of p{{Y)), such that \a'\ — A, 1^2! | 9—1 and (a', y'^ 
is contained in a maximal parabolic in p{(Y)). Evaluate the SLPs on Y to 
obtain a,?/2 £ (X) with similar properties. 

(7) Using the dihedral trick, find hi e {X) such that j^^ = and let y^ — y^^ . 
Since (a, j/2) is a proper subgroup of (Y), it follows that (CG(a^), 2/2) is a 
proper subgroup of G, and hence it is contained in a maximal parabolic. 
Clearly (CG(a^), j/3) is also contained in the same maximal parabolic. We 
know from the structure of (a, 2/2) that 2/2 ^ CG(a^), and since j/i ^ CgO), 
it follows that 2/3 ^ CG(a^), so (2/2) and (2/3) both lie in a group of shape 
W'^] ■ (9—1) and hence are conjugate modulo 02(CG(a^)). Now we want 
to conjugate (2/3) to (2/2) while fixing a^. 
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(8) Diagonalise 2/2 and 2/3 to obtain <^(a2,fo2) and "^(03, 63). Use the discrete 
logarithm oracle to find an integer fc e Z such that =03. If no such k 
exists, then find another pair of a, j/2, but this can only happen if 1 2/2! is a 
proper divisor of g — 1. 

(9) Notice that 1/3 also can diagonalise to q{a'^^,b3), so now 

yl^=y3 mod OzCCcla^)) 

or 1/2 = y^^ mod 02(00(0^))- In the latter case, invert j/3. 

(10) Use Lemma ri. 101 to find ci e {y^liVi) such that 

{y!!r=y3 mod $(02(CG(a2))) 
and then C2 G ((2/2 )'^^ 2/3) such that 

(y^r^- = 2/3 mod $($(02(00(0')))). 

By Conjecture mOl $($(02(00(0^)))) = (1), so (2/2)^^^^ = (2/3). 

(11) Now /i2 = (ciC2)~^ € CG(a') since by Lemma Fl. 10) both ci and C2 cen- 
tralise a^. Clearly, /12 conjugates (2/3) to (2/2)- Hence g — /11/12 conjugates 
{j,yi) to (a?,y2), and by construction ^0^,2/2) ^ (i^) commutes with 
both J and 2/1- Since (j, 2/1) is contained in a maximal parabolic of an- 
other copy of Sz((7), it follows that (Y) commutes with this copy. Thus 
(r,5)-Sz(g)?C2. 

By Theorem l3.671 the length of the SLP for j is 0(loglog((7)) . Then by Lemma 
13.721 the SLPs of C and 2/1 will also have length 0(loglog((7)). By Lcmma[X75l the 
SLPs for Y will have length O(loglog(g)). By Theorem [3?T1 the SLPs for a and 2/2 
will have length 0(loglog(g')^), and hence hi and /12 will also have this length. 

The expected time complexity follows from Lemma 13.721 □ 

Lemma 3.77. Assume Conjecture \2A2\ There exists a Las Vegas algorithm that, 
given {X) , {Y) , {Z) GL(26,g) such that {X) ^ ^F^iq) = (Y), (Z) Sz(g)xSz(q) 
and (Z) ^ (X) n (Y), finds g € GL(26, q) such that (X)^ = (Y). The algorithm has 
expected time complexity 0(\X\ + \Y\ + log(q)) field operations. 

Proof. Let M be the module of (Z) . Observe that g must centralise (Z) ,sogG 
Cgl(26,9)((^)) = Aut(M) C End(z>(M). By Conjecture the endomorphism 
ring of M has dimension 3. The algorithm proceeds as follows: 

(1) Use the MeatAxe to find 61,62,63 G GL(26,(7) such that End(2)(M) = 
®Li(e»). 

(2) Let xi,X2,X3 be indeterminates and let 

3 

h{xi,X2,X3) = '^XiCi e Mat26(Fg[xi, 2:2,2:3]). 
1=1 

(3) Use the MeatAxe to find matrices Qx, Qy corresponding to the quadratic 
forms preserved by {X) and (Y). 
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(4) A necessary condition on h{xi,X2,X3) for it to conjugate {X) to (Y) is 
the following equation: 

h{xi,X2,X3)Qxh{xi,X2,X3) = Qy (3.54) 

which determines 676 quadratic equations in xi,X2,X3. 

(5) Hence we obtain P C Fq[a;i, X2, X3] where each element of P has degree 2 
and \P\ ^ 676. Every f E P has 7 coefBcients, so we obtain an additive 
group homomorphism p : (P) F^. 

(6) Now dim p{P) = 3, so let 61, 62, ^3 be a basis of and let fi — p^^{bi) G 
Pfori = l,...,3. 

(7) By Proposition l2.431 the variety of the ideal I — {fi, f2, fa) 1^^q[xi,X2,xs] 
has size 2. Find this variety using Theorem 11.31 

(8) Let hi,h2 be the corresponding elements of End(2)(M). Clearly, one of 
them must also lie in Aut(M) and conjugate {X) to (Y), since our g exists 
and satisfies the necessary conditions which led to hi and /i2- Use Theorem 
13.631 to determine which hi satisfies (X)^^ = (Y). 

Clearly, this is a Las Vegas algorithm and the expected time complexity follows 
from Theorem 11.31 □ 

Theorem 3.78. Assume the Suzuki Conjectures, the Big Ree Conjectures, and 
an oracle for the discrete logarithm problem in ¥q. There exists a Las Vegas al- 
gorithm that, given {X) , (Y) ^ GL(26,g) such that {X) = ^F4{q) = (Y), finds 
g € GL(26, g) such that (X)^ = (Y). The algorithm has expected time complexity 
0{\X\ + \og{qf + (e + XD('?))(loglog(q))2) field operations. 

Proof. The algorithm proceeds as follows: 

(1) Use Lemma [S2B] to find 6*1 C (X) and ci £ (X) such that (^i) Sz{q) 
and(S'i,Ci) ^ Sz(g);C2.Let (S'2) = (S*!)"' so that {81,82) = Sz(g)xSz(g). 

(2) Similarly find 83, 8^ C (Y) such that {83, 8^) ^ Sz(g) x Sz{q). 

(3) Use the MeatAxe to split up the modules of each {8i). By Proposition 
12.411 we obtain 4-dimensional submodules, and hence surjectivc homo- 
morphisms pi : {8i) — > GL(4, q) for i — 1, . . . ,A. 

(4) Use Theorem 13.11 to find effective isomorphisms (pi : pi{{8i)) Sz{q) 
for i = 1, . . . , 4. If 5* is the standard generating set for Sz{q), we then 
obtain standard generating sets Ri for {8i) by obtaining SLPs for 8 in the 
generators of pi{{8i)) and then evaluating these on 8i. 

(5) Let Ml be the module for {Ri, R2) and let M2 be the module for {R3, R4). 
Now Ml = M2, and all Ri are equal, so we can use the MeatAxe to find 
a change of basis matrix hi g GL(26, q) between Mi and M2. 

(6) Then {81, S'2)''' = (S3, S4) and hence (5*3, S'4) < {xf' n (Y). Use Lemma 
1X771 to find h2 e GL(26,g) such that (X) = (Y). Hence g = /ii/i2- 

Clearly, this is a Las Vegas algorithm and the expected time complexity follows 
from Lemma 13.761 □ 
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3.3.5. Constructive recognition. Finally, we can now state and prove our 
main theorem. 

Theorem 3.79. Assume the Suzuki Conjectures, the Big Ree Conjectues, and 
an oracle for the discrete logarithm problem in Fg. There exists a Las Vegas algo- 
rithm that, given {X) ^ GL(26,(7) satisfying the assumptions in Section \\.2.7\ with 
q — 2^"'+-'^, TO > and (X) = ^F4(g), finds an effective isomorphism ip : (X) 
'^F4{q). The algorithm has expected time complexity 0((^ + xn('z))(loglog(q))^ + 
\X\ + log(q)'^) field operations. 

The inverse of ip is also effective. Each image and pre-image of ip can be com- 
puted using 0(l) field operations. 

Proof. Use Theorem [375] to obtain c € GL(26,g) such that (X)" = "^Fii^q). 
An an effective isomorphism ip : (X) — > ^F4(g) is then defined hy g i—> g'^, which 
clearly can be computed in 0(f) field operations. The expected time complexity 
follows from Theorem 13.781 □ 



CHAPTER 4 



Sylow subgroups 

We will now describe algorithms for finding and conjugating Sylow subgroups 
of the exceptional groups under consideration. Hence we consider the following 
problems: 

(1) Given {X) ^ GL{d,q), such that {X) ^ G for one of our exceptional 
groups G, and given a prime number p \ \G\, find (Y) ^ (X) such that 
(Y) is a Sylow p-subgroup of {X) . 

(2) Given {X) ^ GL{d,q), such that {X) = G for some of our exceptional 
groups G, and given a prime number p \ \G\ and (Y) , (Z) ^ {X) such 
that both (Y) and (Z) are Sylow p-subgroups of {X), find c G (X) such 
that (F)" = (Z). 

The second problem is the difficult one, and often there are some primes that 
are especially difhcult. We will refer to these problems as the "Sylow subgroup prob- 
lems" for a certain prime p. The first problem is referred to as "Sylow generation" 
and the second as "Sylow conjugation" . 

4.1. Suzuki groups 

We now consider the Sylow subgroup problems for the Suzuki groups. We will 
use the notation from Section 12.11 and we will make heavy use of the fact that 
we can use Theorem 13 . 261 to constructively recognise the Suzuki groups. Hence we 
assume that G satisfies the assumptions in Section fl. 2. 71 so Sz{q) = G ^ GL{d, q). 

By Theorem [2T] and Proposition[2^ |G| = + and aU three factors 

are pairwise relatively prime. Hence we obtain three cases for a Sylow p-subgroup 
S'of G. 

(1) p divides q^, so p — 2. Then S is conjugate to !F and hence S fixes a 
unique point Ps of O, which is easily found using the Meat Axe. 

(2) p divides q — 1. Then S is cyclic and conjugate to a subgroup of H. Hence 
S fixes two distinct points P,Q E O, and these points are easily found 
using the Meat Axe. 

(3) p divides q^ + 1. Then S is cyclic and conjugate to a subgroup of C/i or 
U2, and S has no fixed points. This is the difficult case. 

Theorem 4.1. Assume the Suzuki Conjectures and an oracle for the discrete 
logarithm problem in ¥q. There exist Las Vegas algorithms that solve the Sylow 
subgroup problems for p — 2 in Sz{q) = G ^ Gh{d,q). Once constructive recog- 
nition has been performed, the expected time complexity of the Sylow generation is 
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0{d^ \og{q){loglog{q) f) field operations, and 0{d^{\Y\ + \Z\+log{q){\og\og{q))'^) + 
log((?)^) field operations for the Sylow conjugation. 

Proof. Let H = Sz{q). Using the effective isomorphism, it is sufficient to solve 
the problems in the standard copy. 

The constructive recognition uses Theorem l3.12l to find sets L and U of "stan- 
dard generators" for Hp^ and Hp^ , respectively. 

A generating set for a random Sylow 2-subgroup S of H can therefore be 
computed by taking a random h E H, and as generating set for S take L''. To obtain 
a Sylow 2-subgroup R of G, note that we already have the 0(log(g)) generators L 
and h as SLPs of length O((loglog(g))^), so we can evaluate them on X. Hence the 
expected time complexity is as stated. 

Given two Sylow 2-subgroups of G, we use the effective isomorphism to map 
them to H using 0((i'^(|y| + \Z\)) field operations. We can use the MeatAxe to 
find the points Py, Pz E O that are fixed by the subgroups. Then use Lemma [3. Ill 
with U to find a E Hp^ such that Pya = Poo and b E Hp^ such that Pzh ~ Poo- 
Then ab^^ conjugates one Sylow subgroup to the other, and we already have this 
element as an SLP of length 0(log(g)(loglog((7))^). 

In the case where Py = Poo and Pz = Pq, we know that T maps Py to Pz- 
Then use Algorithm [X^ to obtain an SLP for T of length 0(log(9)(log log(g))^) . 

Hence we can evaluate it on X and obtain c E G that conjugates (Y) to (Z). 
Thus the expected time complexity follows from Lemma lS.lll and Theorem lS.lSI □ 

Theorem 4.2. Assume the Suzuki Conjectures and an oracle for the discrete 
logarithm problem in ¥q. There exist Las Vegas algorithms that solve the Sylow 
subgroup problems for p \ q — I in Sz(q) ^ G ^ GL(c?, g). Once constructive recog- 
nition has been performed, the expected time complexity of the Sylow generation is 
0((^(d) -Mog(g)loglog(q) + d^)\og\og{q)) field operations, and 0{d^{\Y\ + \Z\ + 
log((7)(log log((7))^) -|- log((7)'^) field operations for the Sylow conjugation. 

Proof. Let H = Sz{q). In this case the Sylow generation is easy, since we can 
determine the highest power e of p such that p"^ \ q — 1, find a random element of 
pseudo-order q—l, use Proposition ll.4l to obtain an element of order p"^, then evalu- 
ate its SLP on X. By Proposition l2.61 the expected number of random selections, and 
hence the length of the SLP, is O(loglog(;), and we need 0(log((7) loglog(g)) field 
operations to find the order. Then we evaluate the SLP on X using 0((i'^ \og\og{q)) 
field operations, so the expected time complexity is as stated. 

For the Sylow conjugation, recall that the constructive recognition uses Theo- 
rem [TH] to find sets L and U of "standard generators" for Hp^ and Hp^, respec- 
tively. 

Given two Sylow p-subgroups of G, we use the effective isomorphism to map 
them to H using 0(d^(|y|-|-|Z|)) field operations. Let Hy, Hz ^ H he the resulting 
subgroups. Using the MeatAxe, we can find Py ^ Qy E O that are fixed by Hy 
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and Pz 7^ Qz G C that are fixed by Hz- Order the points so that Py 7^ Pq and 
Pz^Po- 

Use Lemma [3.111 with U to find ai G iJp,, such that Pyai = -Poo- Then use 
L to find a2 G ^i^^o such that QYCLia2 ~ Po- Similarly we find 5i,fo2 G ^ such 
that Pzbib2 — Poo and Qzbib2 = Po- Then aia2(6i62)~^ conjugates one Sylow 
subgroup to the other, and we already have this element as an SLP of length 
0(log(g)(loglog((7))^). Hence we can evaluate it on X and obtain c £ G that con- 
jugates {Y) to (Z). Thus the expected time complexity is as stated. 

□ 

Lemma 4.3. There exists a Las Vegas algorithm that, given g,h € Sz(g) with 
\g\ = \h\ both dividing q±t+l, finds c G (g) such that c is conjugate to h in Sz{q). 
The expected time complexity is ©(logq) field operations. 

Proof. The algorithm proceeds as follows: 

(1) Find the minimal polynomial /i of g. By Theorem 12. 11 g acts irreducibly 
on F^, so /i is irreducible. Let F = ¥q[x]/ (/i), so that F is the splitting 
field of /i. Clearly F = ¥^4. and F^ = (a) where a is a root of /i. 
Moreover, x 1-^ g defines an isomorphism F ¥q{{g)), where the latter 
is the subfield of Mat4(Fq) generated by g. 

(2) Find the minimal polynomial /2 of h. Then F is also the splitting field 
of /2, and if /3 G F is a root of /2, then /3 is expressed as a polynomial 
/a in a, with coefficients in ¥q. Similarly, x ^-^ h defines an isomorphism 

F^¥q{{h)). 

(3) Now /a defines an isomorphism ¥q{{h)) -^¥q{{g)) as fsig), because 
h and /3(g) have the same minimal polynomial. Hence if we let c = fsig), 
then c has the same eigenvalues as /i, so c and h are conjugate in GL(4, q). 
Then |c| = \h\ and Tr(c) = Tr(/i), so by Proposition l2.8l c is also conjugate 
to h in Sz{q). Moreover, both (g) and (c) are subgroups oi ¥q{{g))^ , but 
since |c| = \h\ = \g\, they must be the same. Thus c G {g). 

By |Gie95] . the minimal polynomial is found using 0(l) field operations. Hence 
by Theorem ll.il the expected time complexity is as stated. □ 

The conjugation algorithm described in the following result is essentially due 
to Mark Stather and Scott Murray. 

Theorem 4.4. Assume the Suzuki Conjectures and an oracle for the discrete 
logarithm problem in ¥q. There exist Las Vegas algorithms that solve the Sylow 
subgroup problems for p \ q^ + 1 in Sz{q) ^ G ^ Gh{d,q). Once constructive 
recognition has been performed, the expected time complexity of the Sylow generation 
is 0{{^{d) + \og{q)\og\og{q) + d^)log\og{q)) field operations, and 0{£_{d)+d^{\Y\ + 
\Z\ + log(g)(loglog(g))^) + log((7)'^) field operations for the Sylow conjugation. 
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Proof. Let H — Sz{q). The Sylow generation is analogous to the case in 
Theorem 14.21 since by Proposition [5111 we can easily find elements of pseudo-order 
q±t + l. 

Given two Sylow p-subgroups of G, we use the effective isomorphism to map 
them to H, using 0((i"^(|y| + \Z\)^ field operations. The resulting generating sets 
must contain elements hy, hz £ H of order p, since the Sylow subgroups are cyclic. 
Let J be as in (|2.24p . so that H preserves the symplectic form J, and let ^ be as 
in Section r2. 1.21 the automorphism of Sp(4, q) whose set of fixed points is Sz{q). 



(1) Use Lemma H31 to replace hy. Henceforth assume that hy and hz are 
conjugate in H. 

(2) Find gi E GL(4, such that /i^^ = hz- This can be done by a similarity 
test, or computation of Jordan forms, using |Ste97| . The next step is to 
find a matrix g2 such that (7251 G Sp(4, q), and (7251 also conjugates hy to 
hz- 

(3) Let A = Cql(4 (/ij,) (the automorphism group of the module of (hy)). 
Since (hy) is irreducible, by Schur's Lemma A = F^4. Such an isomorphism 
6 : A ^ ¥qi, and its inverse, can be found using the MeatAxe. 

(4) Now define an automorphism ip of A as ip{a) — Ja^J~^. Then ip has 
order 2 and A = F^4 . Recall that F^4 has a unique automorphism of order 
2 {k 1-^ fc*^), which must be 9 o ip o . 

(5) Let ti — Jg^^ J^^g^^ and observe that ti G A. We want to find 92 S A 
such that g2giJ{92gi)^ = J, which is equivalent to 93(52)52 ~ ^i- Using 
9, this is a norm equation in Wgi over ¥g2. In other words, we consider 
^(52)'''^^ = ^(^i), which is solved for example using [HRD051 Lemma 
2.2]. 

(6) Hence 5251 lies in Sp(4, (7), and 52 fixes /ij,, so 5251 conjugates hy to hz. 
The next step is to find a matrix 53, such that 535251 € Sz((7), and such 
that 535251 also conjugates hy to hz- Hence we want 53 G Sp(4, g) and 

^(535251) = 535251- 

(7) Find w £ F^4 of order + 1, by taking the q^ — 1 power of a primitive ele- 
ment. Then Lp{9^^ (w)) 9^ ^{w) — 1 , which implies that ^""'^(w) J6'~^(ix;)-^ = 
J, and hence 9^^{w) e Sp(4,q). Similarly, every element of {w) gives rise 
to matrices in Sp(4, q). We therefore want to find an integer i, such that 

= 53- 

(8) Moreover, we want 

^{9-\w')g2gi) ^ 9-\w')g2gi ^ 
^{9-\w)y^{g2gi) = 9-\wyg2gi ^ 

(4.1) 

^i9-\w)y9-'iw)-' - 525i^'(32.9i)"' ^ 
9{'f{9-\w))yw-' = ^(525i*(ff25i)~') 
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SO if we let t2 = ^(5251 ^' (5231) we want to find an integer i such that 

e{<f{e-'^{w))yw-' = t2. 

(9) Use the discrete log oracle to find k such that 9{'i'{9^^{w))) — . Since 
5231 G Sp(4, g) it follows that ^2 G {w) . Use the discrete log oracle to 
find n & such that = ^2- Our equation turns into (k — l)i = n 
(mod + 1), which we solve to find i. 

By IHRDOS] Lemma 2.2], this whole process uses expected 0{\ogq) field op- 
erations. Finally we use the effective isomorphism to map the conjugating element 
back to G. Hence the time complexity is as stated. □ 

4.2. Small Ree groups 

We now consider the Sylow subgroup problems for the small Ree groups. We 
will use the notation from Section 12.21 and we will make heavy use of the fact that 
we can use Theorem l3.62l to constructively recognise the small Ree groups. Hence we 
assume that G satisfies the assumptions in Section [1.2. 71 so Ree(g) = G ^ GL(c?, q). 

By Proposition l2.151 we obtain 4 cases for a Sylow p-subgroup S of G. 

(1) p = 2, so that by |HB821 Chapter 11, Theorem 13.2], S is elementary 
abehan of order 8 and [Ng(5) : S] = 21. 

(2) p divides , so p = 3. Then S is conjugate to U{q) and hence S fixes a 
unique point Ps of O, which is easily found using the Meat Axe. 

(3) p divides g — 1 and p > 2. Then S is cyclic and conjugate to a subgroup 
of H{q). Hence S fixes two distinct points P,Q € O, and these points are 
easily found using the MeatAxe. 

(4) p divides + 1 and p > 2. Then S is cyclic and conjugate to a subgroup 
of Aq, A\ or A2 from Proposition 12.201 In this case, we have only solved 
the Sylow generation problem. 

Theorem 4.5. Assume the small Ree Conjectures and an oracle for the dis- 
crete logarithm problem in ¥q. There exist Las Vegas algorithms that solve the Sylow 
subgroup problems for p — 3 in Ree(g) ^ G ^ GL(d, g). Once constructive recog- 
nition has been performed, the expected time complexity of the Sylow generation is 
0{d^ (log(g) log log(g) ) 2 ) field operations, and O (d^ ( | F | + 1 Z | + (log(g) log log(g) ) ^ ) + 
log(g)^) field operations for the Sylow conjugation. 

Proof. Let H — Ree(q). The constructive recognition uses Theorem 13.401 to 
find sets L and U of "standard generators" for Hp^ and Hpg , respectively. 

A generating set for a random Sylow 3-subgroup S oi H can therefore be com- 
puted by finding a random h Cz H, and as generating set for S take {m^ \ m G L}. 
To obtain a Sylow subgroup R of G, note that we already have the 0(log(g)) gen- 
erators of L and h as SLPs of length O(log(q)(loglog(g)-^)), so we can evaluate them 
on X. Hence the expected time complexity is as stated. 

Given two Sylow 3-subgroups of G, we use the effective isomorphism to map 
them to H using 0((i'^(|F| + |Z|)) field operations. We can use the MeatAxe to find 
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the points Py,Pz G O that are fixed by the subgroups. Then use Lemma [5. 391 with 
U to find a & H, such that Pya = Poo, and b & H, such that Pzb = Poo- Then ab~^ 
conjugates one Sylow subgroup to the other, and we aheady have this element as 
an SLP of length 0((log(g) loglog((7))2). 

In the case where Py — Poo and Pz = Po, we know that T maps Py to Pz- 
Then use Algorithm 13.61 to obtain an SLP for T of length 0((log((7) loglog(g))^). 

Hence we can evaluate it on X and obtain c ^ G that conjugates (Y) to (Z). 
Thus the expected time complexity follows from Lcmma r3.39l and Theorem l3.42l □ 

Theorem 4.6. Assume the small Ree Conjectures and an oracle for the discrete 
logarithm problem in ¥q. There exist Las Vegas algorithms that solve the Sylow 
subgroup problems for p \ q^l, p > 2, in Kee{q) ^ G ^ GL((i, q). Once constructive 
recognition has been performed, the expected time complexity of the Sylow generation 
is 0((^(d) + log(g)loglog(g)+d3)loglog(g)) field operations, anrf 0(^^(1^ | + |^| + 
(log(g) log log((7))^) + log(g)'^) field operations for the Sylow conjugation. 

Proof. Let H — Ree{q). In this case the Sylow generation is easy, since we 
can determine the highest power e of p such that | q—1, find a random element of 
pseudo-order q—1, use Proposition ll.4l to obtain an element of order p, then evaluate 
its SLP on X. By Proposition 12. 23[ the expected number of random selections, and 
hence the length of the SLP is O (log log g), and we need 0(log((7) loglog((7)) field 
operations to find the order. Then we evaluate the SLP on X using 0(c?'^ loglog((7)) 
field operations, so the expected time complexity is as stated. 

For the Sylow conjugation, recall that the constructive recognition uses Theo- 
rem [330] to find sets L and U of "standard generators" for Hp^ and Hpg, respec- 
tively. 

Given two Sylow p-subgroups of G, we use the effective isomorphism to map 
them to H using 0((i"^(|y| + |Z|)) field operations. Let Hy, Hz ^ H he the resulting 
subgroups. Using the Meat Axe, we can find Py, Qy E O that are fixed by Hy and 
Pz, Qz € O that are fixed by Hz- Order the points so that Py ^ Po and Pz 7^ Po- 

Use Lemma 13.391 with U to find a\ e Hp^, such that Pya\ — P^o- Then 
use L to find 02 G HPoa, such that Qyaia2 ~ Po- Similarly we find b\,b2 G H, 
such that Pzb\bi ~ Poo and Qzbib2 = Po- Then 0102(6162)^^ conjugates one 
Sylow subgroup to the other, and we already have this element as an SLP of length 
0((log(g) loglog((7))^). Hence we can evaluate it on X and obtain c e G that 
conjugates (Y) to {Z). Thus the expected time complexity is as stated. □ 

Theorem 4.7. Assume the small Ree Conjectures and an oracle for the dis- 
crete logarithm problem in ¥q. There exists a Las Vegas algorithm that solves the 
Sylow generation problem for p \ q^ + 1, p > 2, in Ree((?) = G ^ GL{d,q). Once 
constructive recognition has been performed, the expected time complexity of the 
Sylow generation is 0((^(o?) -|- log((7) loglog((7) 4- c?'^) loglog((7)) field operations. 

Proof. Let H — Ree(g). The Sylow generation is easy, since we can find an 
element of pseudo-order q±3t + 1 or {q + l)/2, use Proposition 11.41 to obtain an 
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element of order p, then evaluate its SLP on X. By Proposition 12.231 the expected 
number of random selections, and hence the length of the SLP is O (log log g), and 
we need 0(log(g) loglog(g)) field operations to find the order. Then we evaluate the 
SLP on X using 0(d^ loglog(g)) field operations, so the expected time complexity 
is as stated. □ 

This result is due to Mark Stathcr and is the same as |Sta06|, Lemma 4.35]. 

Lemma 4.8. Let G be a group and let k E 1^ be such that \G\ — 2^n with n odd. 
Let P have order 2^-^. Let (P, X) and {P,y) be Sylow 2-subgroups ofG. Then 
\xy\ = 2* for some t El^ if and only if {P, x) — (P, y). Moreover if\xy\ = 2*(2s + 1), 
then {P,x)'-^"'^' = (P,y) 

Proof. Let H = {P,xy). Then iJ is a subgroup of {P,x,y) of index 2, that 
contains P, but does not contain x or y. Since P has index 2 in both (P, x) and 
{P,y) it follows that xy E N^f(P). But P is a Sylow 2-subgroup of H so, 

\xy\ = 2'' ^ xy e P ^ {P,x) = {P,y) 

The second statement is an application of Proposition II. 8[ modulo H. □ 

Theorem 4.9. Assume the small Ree Conjectures and an oracle for the dis- 
crete logarithm problem in ¥q. There exists a Las Vegas algorithm that solves the 
Sylow generation problem for p ~ 2 in Ree((7) = G ^ Gh{d,q). Once construc- 
tive recognition has been performed, the expected time complexity is 0((^((i) + 
d^ log(g)) loglog(q) + log(q)'^ + Xoiq)) field operations. 

Proof. Let H = Ree(g). We want to find three commuting involutions in H. 
Using the first three steps of the algorithm in Section [3. 2. 2. 31 we find an involution 
ji G H and Ch(ji)' — PSL(2, g). Using the notation of that algorithm, we can let 
the second involution j2 G Ch(ji)' be T^iiT^^ij)) where j is the second matrix in 

We then want to find the third involution in the centraliser of j2 in C/f (ji)'- 
In our case this centraliser has structure (C2 x(C2 :^o)- Hence its proportion of 
elements of even order is 3/4, and 1/2 of its elements are involutions other than 
j2. Using the Bray algorithm we can therefore compute random elements of this 
centraliser until we find such an involution J3. 

Clearly ji , j2 , js will all commute. As in the proof of Corollarv l3.361 the expected 
time to find ji, constructively recognise C/f(ji)' and find j2 is 0(^log log((;) + 
-\-\og{q)^ + Xoiq)) field operations. By the above, the expected time to find jz is 
0(1) field operations. The involutions will be found as SLPs, where ji and have 
length 0(1), because the generators of ChUi)' are SLPs of length 0(l). By Lemma 
inSiand Theorem [rH j2 has length 0(log(g) loglog(g)). Thus we can evaluate 
them on X using 0(d'^ log(q) loglog(g)) field operations, and the expected time 
complexity is as stated. □ 
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Theorem 4.10. Assume the small Ree Conjectures and an oracle for the dis- 
crete logarithm problem in ¥q. There exists a Las Vegas algorithm that solves 
the Sylow conjugation problem for p — 2 in Ree(g) ^ G ^ GL{d,q). Once con- 
structive recognition has been performed, the expected time complexity is 0(^((i) + 
d^((log((7)loglog((7))2 + \Y\ + \Z\) -\-\og{qf) field operations. 

Proof. Let H = Kcc{q). Given two Sylow 2-subgroups of G, we use the ef- 
fective isomorphism to map them to H, using 0((i''(|y| + \Z\)^ field operations. 
The resulting generating sets are P = {j/i, y2, ys} and S — {zi, Z2, z^}, where both 
the yi and Zi are commuting involutions. We may assume that (Y) ^ {Z) so that 
P^S. 

The algorithm proceeds as follows: 

(1) By Proposition 12.26) we can use the dihedral trick in H and hence find 
ci & H such that j/J^ = zi. We then want to conjugate y2 to Z2 while 
fixing zi. 

(2) Using the first steps of the algorithm in Section 13.2.2.31 wc find Gi = 
Gh{zi) ^ (zi) X PSL(2,(7), and use Theorem 11.131 to determine when we 
have the whole of Gi. Observe that Zi e Gi for all i. 

(3) Choose random g € G{. If Z2g has odd order, then Z2 & C[. Conversely, if 
Z2 £ C'l then Z2g has odd order with probability 0(l). Similarly, if ziZ2g 
has odd order, then ziZ2 G G(, and the probability is the same. Repeat 
until either Z2 or ziZ2 has been proved to lie in G( and replace Z2 with 
this element. Do the same procedure with y^^, z/g^, z^. 

(4) Now y2\z2,y3\z3 € C[ ^ PSL(2,g), and by |WP06l Theorem 13], the 
dihedral trick works in PSL(2, g). Hence find C2 S C[ such that 2/2^*^^ ~ ^2- 

(5) Let |2/3^'^^2:3| — 2*s, where s is odd. If s = 1 then let c^ — 1 and otherwise 
let C3 = {y^'^^zsY'-^^/^. By LemmaEH P'^i'^^c,, ^ s. 

Finally, we use the effective isomorphism to map C1C2C3 back to G. As in the 
proof of Corollarv l3.36l Gi is found using expected 0(£_{d) + log(g) loglog(q)) field 
operations, if we let e = loglog(g) in Theorem 1 1.1 31 The expected time complexity 
of the effective isomorphism follows from Theorem 13.621 □ 

4.3. Big Ree groups 

We now consider the Sylow subgroup problems for the Big Ree groups. We will 
use the notation from Section [531 and we will make heavy use of the fact that we 
can use Theorem 13.791 to constructively recognise the Big Ree groups. However, 
we can only do this in the natural representation, and hence we will only consider 
the Sylow subgroup problems in the natural representation. Hence we assume that 
2F4(g)^G<GL(26,g). 

It follows from [DS99j that if g e G then \g\ is even, or divides any of 
the numbers {q + 1, q — I, q ±t + 1, ± 1, q'^ — q + 1, q"^ ±tq -\- q ±t -\- l} . Hence 
we obtain several cases for a Sylow p-subgroup S of G. 
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(1) p = 2. Then S has order q^'^ and Hes in Gc{j) for some involution j of 
class 2A. It consists of 02(CG(j)) extended by a Sylow 2-subgroup in a 
Suzuki group contained in the centraliser. 

(2) p divides o £ {q — I, q ± t + 1}. Then S has structure Gp x Cp. UG ^ H = 
Sz(g) X Sz((7), then S is contained in H and consists of Sylow p-subgroups 
from each Suzuki factor. 

(3) p divides q-^ — q+1 or q-^ ±tq + q±t + 1. Then S is cyclic of order p, and 
hence these Sylow subgroups are trivial to find. We do not consider this 
case. 

(4) p divides q + 1. We do not consider this case. 

Theorem 4.11. Assume the Suzuki Conjectures, the Big Ree Conjectures and 
an oracle for the discrete logarithm problem in ¥q. There exists a Las Vegas al- 
gorithm thats solve the Sylow generation problem for p = 2 in '^F4{q) = (X) ^ 
GL(26, q). Once constructive recognition has been performed, the expected time com- 
plexity is 0(log((7)(loglog((7))^) field operations. 

Proof. Let G ~ (X). We see from the proof of Theorem l3. 781 that during the 
constructive recognition, we find GgU) for some involution j E G oi class 2A. We 
also find (Y) , (Z) ^ CgO) such that {Y) = OziGaij)) and (Z) ^ Sz(g). Moreover, 
(Z) is constructively recognised, and Y, Z are expressed as SLPs in X of length 
0(loglog(g)). 

Hence we can apply Theorem 14.11 and obtain a Sylow 2-subgroup (W) of (Z) 
using 0(log((7)(loglog(g))^) field operations. Now {Y,W) is a Sylow 2-subgroup of 

G. a 

Theorem 4.12. Assume the Suzuki Conjectures, the Big Ree Conjectures and 
an oracle for the discrete logarithm problem in ¥q. There exist Las Vegas algorithms 
that solve the Sylow generation problems for p \ q — 1 orp\q±t-\-l m ^F4(g) = 
G ^ GL(26,q'). Once constructive recognition has been performed, the expected time 
complexity is 0((^ -I- log(g) loglog((7)) loglog(g)) field operations. 

Proof. Let G = {X). We see from the proof of Theorem 13.781 that during 
the constructive recognition, we find (Yi) , (1^2) — Sz{q), and they commute, so 
(Yi,l2) — Sz{q) X Sz{q). Moreover, (Yi) and (I2) are constructively recognised, 
and Yi, Y2 are expressed as SLPs in X of length 0(loglog((7)^). 

Hence we can apply Theorem 14 . 2 1 or and obtain Sylow p-subgroups of (Yi) 
and (Y2), using 0((^-|-log((7) log log((7)) log log((7)) field operations. From the proof 
of the Theorems, we see that there will be a constant number of generators, which 
will be expressed as SLPs in (Y^) of length 0(loglog((7)). Hence we can evaluate 
them on X using 0((loglog((7))'^) field operations. □ 



CHAPTER 5 



Maximal subgroups 

We will now describe algorithms for finding and conjugating maximal subgroups 
of the exceptional groups under consideration. Hence we consider the following 
problems: 

(1) Given {X) ^ GL{d,q), such that {X) = G for some of our exceptional 
groups G, find representatives (Fi) , . . . , (Yn) of the conjugacy classes of 
(some or all of) the maximal subgroups of G. 

(2) Given {X) ^ GL{d,q), such that {X) = G for some of our exceptional 
groups G, and given (Y) , (Z) ^ {X) such that (Y) and (Z) are conjugate 
to a specified maximal subgroup of {X), find c e {X) such that (F)^ = 
{Z). 

It will turn out that because of the results about Sylow subgroup conjugation 
in Chapter HI the second problem will most often be easy. The first problem is 
therefore the difhcult one. We will refer to these problems as the "maximal subgroup 
problems" . The first problem is referred to as "maximal subgroup generation" and 
the second as "maximal subgroup conjugation" . 

5.1. Suzuki groups 

We now consider the maximal subgroup problems for the Suzuki groups. We 
will use the notation from Section 12. H and we will make heavy use of the fact that 
we can use Theorem 13 . 261 to constructively recognise the Suzuki groups. Hence we 
assume that G satisfies the assumptions in Section [T. 2. 71 so Sz(g) = G < GL{d, q). 

The maximal subgroups are given by Theorem 12.31 

Theorem 5.1. Assume the Suzuki Conjectures, an oracle for the discrete loga- 
rithm problem in Fg and an oracle for the integer factorisation problem. There exist 
Las Vegas algorithms that solve the maximal subgroup conjugation in Sz{q) = G ^ 
Gh{d,q). Once constructive recognition has been performed, the expected time com- 
plexity IS 0{ad) log(g) + \og{qf + d^\og{q)iloglog{q)f + {\Y\ + \Z\)ao{\og{q))) + 
d^ \og{q)ao{\og{q)) +X-f(4, 9)) field operations. 

Proof. Let H — Sz{q). In each case, we first use the effective isomorphism 
to map the subgroups to H using 0((i^(|y| + |.^|)) field operations. Therefore we 
henceforth assume that (Y) , (Z) ^ H. 

Observe that all maximal subgroups, except the Suzuki groups over subfields, 
are the normalisers of corresponding cyclic subgroups or Sylow 2-subgroups. The 
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Sylow conjugation algorithms can conjugate these cychc subgroups around, not 
only the Sylow subgroups that they contain. Moreover, the cyclic subgroups and 
Sylow 2-subgroups are the derived groups of the corresponding maximal subgroups. 

Hence we can obtain probable generators for the cyclic subgroups or Sylow 
2-subgroups using 0(^(c?) log((7)) field operations, and we can verify that we have 
the whole of these subgroups as follows: 

(1) For Bi, the generators of the derived group Ui must contain an element 
of order q±t+l. 

(2) For Nij(7i), the generators of the derived group H must contain an ele- 
ment of order q — I. 

(3) For TH, we need not obtain the whole derived group T. It is enough that 
we obtain a subgroup of the derived group that fixes a unique point of O, 
but this might require 0{log{q)) generators. 

Note that in these cases we need the integer factorisation oracle to find the 
precise order. When we have generators for the cyclic subgroups, we use Theorem 
I4.1|, 14.21 and 14.41 to find conjugating elements for the cyclic subgroups. These ele- 
ments will also conjugate the maximal subgroups, because they normalise the cyclic 
subgroups. 

Finally, consider the case when (Y) and (Z) are isomorphic to a Suzuki group 
over Fs <¥q. In this case we first use the algorithm in Section [1.2. 10. 2) to obtain 
ci,C2 € GL(4, g) that conjugates (Y) and (Z) into GL(4, s). Then we use Theorem 
13.171 to find C3 € GL(4, s) that conjugates the Suzuki groups to each other. Hence 
c = ciCac^^ conjugates {Y) to {Z), and therefore it normalises H. However, c does 
not necessarily lie in H, but only in NGL(4,g)(^) — H:¥q, since neither ci nor C2 
are guaranteed to lie in H. Therefore c — (7/4)5 where g € H and 7 G Fg. We can 
find 7 by calculating the determinant and taking its (unique) 4th root, so we can 
divide by the scalar matrix, and we then end up with g, which also conjugates (Y) 
to {Z). 

Finally we use the effective isomorphism to map g to G. The expected time 
complexity follows from Theorem 14.11 14.21 14.41 and 13.171 □ 

Lemma 5.2. If g,h e G = Sz{q) satisfy that \g\ = 2, \h\ = 4, \gh\ — 4 and 
\gh^\ — qit + 1, then {g, h) ^ Gq±t+i '■ C4 and hence is a maximal subgroup of G. 

Proof. Clearly, {g, h) is an image in G of the group H = (x^ V \ ^ y^, {xyY) = 
1?: C4. Since H is soluble and gl? has the specified order, (g, K) must be one of the 
B., from Theorem O □ 

Theorem 5.3. Assume the Suzuki Conjectures, an oracle for the discrete loga- 
rithm problem in ¥q and an oracle for the integer factorisation problem. There exist 
Las Vegas algorithms that solve the maximal subgroup generation in Sz(q) = G ^ 
GL{d,q). Once constructive recognition has been performed, the expected time com- 
plexity is 0(C(ci)(CTo(log(g)) -hloglog(g)) -\- xp'(4, q) loglog(g) ao{\og{q)){log{qf -\- 
d"^ log((7)(loglog((7))^)) field operations. 
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Proof. Let H = Sz(g). Using the effective isomorpfiism, it is sufficient to 
obtain generators for the maximal subgroups in H . 

Let a £¥q be aprimitive element. Clearly .FH = {M'{a), S{1, 0)), and Nh(7Y) = 
{M'{a),T). For each e > such that 2e + 1 | 2to + 1, we have Fg < where 
s = 2^''+\ Hence s - 1 | q - 1 and Sz(s) = (T, 5(1, 0), M'(a)('?-i)/(^-i)). 

The difficult case is therefore Bi and 82- We want to use Lemma [5.21 with T 
and S{a, b) playing the roles of x and y. Hence we proceed as follows: 

(1) Choose random g G H oi order qzLt+ 1. Note that we need the integer 
factorisation oracle, since we need the precise order of g. Let A = T^r{g)- 

(2) Let a, b be indeterminates and consider the equations Tr(T5'(a, b)) — and 
Ti{TS{a, 6)^) = A. If we can find solutions for a, b, then by Proposition 
12.91 \TS{a, 6)1 = 4 with high probability, and Proposition l2. 81 implies that 
\TS{a,by \ ^q±t + l. 

(3) The second equation implies a — A*^^, and 

Tr(rS'(a, 6)) = a* + 0*+^ + ab + b* = ^ 

+ a2*+2 + a*6* + 6^ = =^ (5.1) 
b^ + a'+^b + a^+a^' =0 

where the third equation is a* times the first added to the second. 

(4) The quadratic equation has solutions 61 = a*+^ X^S^ ^^"^ 62 = 61 + 
a*+i, which both give the value a'+^il+J^fZ a"^') of Tr(T5(a, b)). Hence 
repeat with another g if X^ilTo*^^^ 7^ which happens with probability 
1/2. 

(5) Lemma [5.21 now implies that (T, S{a, b)) is Bi or 82- 

Finally, we see that we have 0(iTo(log(9))) generators, which we map back 
to G using the effective isomorphism. Hence the expected time complexity is as 
stated. □ 

5.2. Small Ree groups 

We now consider the maximal subgroup problems for the small Ree groups. We 
will use the notation from Section 12.11 We will make heavy use of the fact that we 
can use Theorem 13.621 to constructively recognise the small Ree groups. Hence we 
assume that G satisfies the assumptions in Scction [1.2.71 so Ree((7) = G ^ GL(d, q). 

The maximal subgroups are given by Proposition 12.201 

Theorem 5.4. Assume the small Ree Conjectures and an oracle for the dis- 
crete logarithm problem in ¥q. There exist Las Vegas algorithms that solve the 
maximal subgroup conjugation in Iiee{q) = G ^ GL((i, g) for the point stabiliser, 
the involution centraliser and Ree groups over subfields. Once constructive recogni- 
tion has been performed, the expected time complexity is 0(^£,{d)\og{q) + \og{q)^ + 
Xz3(g)loglog(9)+rf3((|y| + |Z|)(7o(log(g)) + (log(9)loglog(<7))2)+d2log(g)ao(log(g))) 
field operations. 
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Proof. Let H = Ree(g). In each case, we first use the effective isomorphism 
to map the subgroups to H using 0(d'^(|F| + |^|)) field operations. Therefore we 
henceforth assume that {¥) , (Z) ^ H. 

Observe that the point stabiliser is the normaliser of a Sylow 3-subgroup, which 
is the derived group of the point stabiliser. We can therefore obtain probable gener- 
ators for the Sylow 3-subgroup using 0(^((i) \og{q)^ field operations. We only need 
enough generators so that they generate a subgroup of the derived group that fixes 
a unique point of O, and this we can easily verify using the Meat Axe. When we have 
generators for this subgroup, we use Theorem 14.51 to find a conjugating element. 
This element will also conjugate the maximal subgroup, because it normalises the 
Sylow subgroup. 

For the involution centraliser, we choose random elements of (Y) . Since (Y) = 
(y) X PSL(2,(7) for some involution y, with probability 0(l) we will obtain an 
element of even order that powers up to y. We can check that we obtain y since it is 
the unique involution that is centralised by (Y) (and therefore by Y) . Hence we can 
find the involutions y and z that are centralised by (Y) and (Z). By Proposition 
12.261 we can use the dihedral trick to find c E H that conjugates y to z, using 
0(log(g) loglog((7)) field operations. Since {Y) and {Z) centralise these, it follows 
that (Y)" = (Z). 

Finally, consider the case when (Y) and (Z) are isomorphic to a Ree group 
over ¥s < F^. In this case we first use the algorithm in Section [1.2. 10.21 to obtain 
ci,C2 E GL{7,q) that conjugates (Y) and (Z) into GL(7, s). Then we use Theorem 
13.471 to find c E GL(7, s) that conjugates the resulting Ree groups to each other. 
Hence cicc^^ conjugates (Y) to (Z), and hence normalises H. However, it does not 
necessarily lie in H, but only in NGL(7,q){H) = H:¥q, since neither ci nor C2 has to 
lie in H. Therefore it is of the form {jl^)g, where g E H and 7 € Fg. We can find 7 
by calculating the determinant and taking the (unique) 7th root, so we can divide 
by the scalar matrix, and we then end up with g, that also conjugates (Y) to (Z). 

Finally we use the effective isomorphism to map the conjugating element back 
to G. The expected time complexity follows from Theorem 14. 5| 13.471 and [?^^ □ 

Lemma 5.5. If g,h E G = Ree(g) satisfy that \g\ = 2, \h\ = 3, \gh\ = 6 
and \[g,h]\ = q ± 3t + 1 or \[g,h]\ — {q+l)/2, then {g,h) = Cq±3t+i : Ce or 
h) = (C2 X C2 X C(g^i)/4)): Cg and hence is a maximal subgroup of G. 

Proof. Clearly, {g, h) is an image in G of the group H = (x, y \ x"^ ,y^, {xy)^) = 
Z^iCe. Since H is soluble and [g,h] has the specified order, {g,h) must be one of 
the NciAi) from Proposition □ 

Lemma 5.6. Let G — Ree(g). For each k E {q±2>t + l,{q + l)/2}, there exist 
x,y eG = Ree(g) such that \x\ = 2, \y\ = 3, \xy\ = 6 and ?;]| — k. 

Proof. Consider the case k — q ± 3t + 1. There exists H ^ G such that 
H = (a) (6) = Cfe : Cg with \a\ = k and |6| ^ 6. Observe that H' = (a). If x = a-'b^ 
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and y = a'[5^, a*]^^6^^ then xy = b, and [x,y] — for some j, depending on i. 
Clearly we can choose i such that gcd(j, k) — 1, and hence |[a;, = k. 

The other case is analogous. □ 

Lemma 5.7. LetG = Rec{q) and v = h{-l)T . For each k e {q ± M + 1, {q + l)/2}, 
there exist a, 6 G Fg such that 1X5(0, a, 6)| = 6 and \ [T, 5(0, a, b)] \ = k or 1^5(0, a, 6)| = 
6 and \[v, 5(0, a, b)]\ — k. 

Proof. Let (x, y) be as in Lemma [5T6l It is sufficient to prove that there exists 
a, 6 e Fq such that (x, y) is conjugate to (T, 5(0, a, h)) or (u, 5(0, a, b)). 

Since y has order 3, it fixes a point P. Also, G is doubly transitive so there 
exists ci e G such that PooCi = P- Then y'^^ — 5(0, a, b) for some a, 6 e F^. Observe 
that x'^i does not fix Poo, since otherwise |[a;, y]| = 3. 

Now Poqx'^^ — R for some point i?, and Gp^ acts transitively on the points 
other than Poo, so there exists C2 G Gp^ such that Rc2 = Pq- Then x'^'^'^'^ inter- 
changes Pq and Poo, and so does T. Hence x'^^'^^T^^ e {h{X)), so x'^'^'^^ = /i(A)'T, 
for some ^ i < q — 1. 

Let /c = i/2 (mod (g- l)/2) such that s$ /c < 1, and let C3 = /i(A)'=. There 
are two possible values for k, either 2k = i 01 2k = i + {q — l)/2. In the former case 
2.C1C2C3 ^ ^jjj ^Yie latter case a:^!^^'^^ ^ ;j(;^)(9-i)/2y ^ □ 

Conjecture 5.8. Let q — 32'"+! for some m > and let t = 3'". For every 
a G F^, the ideals in Fg[6i, ci, 62, C2] generated by the following syst 
dimensional: 



ems are zero- 



(5.2) 



(5.3) 



bl+bib2 + cl=0 

bj + blbi + cl = 

l-a-bl + b^ + bjbl -c\- b]b2c\ + c\- bjcl = 
l-a^'-bl + bt + blbl - - clblbi + - fe^c? = 

bl - 6162 - C2 = 
bl - blbl -cl = Q 

1 - a - 61 + 62 + blbl + cl~ 6162C2 + C2 + 52C2 = 
1 - a^* - 6^ + 6t + 62^? + 4- clblbi + ct + blcl = 
Theorem 5.9. Assume the small Ree Conjectures, Conjecture 15.81 an oracle 
for the discrete logarithm problem in ¥q and an oracle for the integer factorisation 
problem. There exist Las Vegas algorithms that solve the maximal subgroup genera- 
tion in Kee{q) ^ G ^ GL(fi, q). Once constructive recognition has been performed, 
the expected time complexity is 0(^((i)((To(log((7)) + loglog((7)) + XF(7, q) loglog((7) + 
cro(log(g))(rf^(log(g)loglog(g))2 +log(9)^)) field operations. 

Proof. Let H = Ree{q). Using the effective isomorphism, it is sufficient to 
obtain generators for the maximal subgroups in H. 

Let a e Fg be a primitive element. Clearly U{q)H{q) = {h{a), 5(1, 0, 0)), and by 
following a procedure similar to |Wil06| . we see that C_f/(/i(— 1)) = {h{a), T, 5(0, 1,0)). 
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For each e > such that 2e + 1 | 2m + 1, we have < where s ~ 3^"^+^. Hence 
s - 1 I g - 1 and Ree(s) = (T, 5(1, 0, 0), /i(a)(«-i)/("^i)). 

The difficult cases are therefore the NniAi). In the Ught of Lemma ISTTl we can 
proceed as fohows: 

(1) Choose random g E H oi order g ± 3i + 1 or (g + l)/2, corresponding to 
the order of Ai. By CoroUarv 12 . 241 this is done using expected 0((^((i) + 
\og{q) loglog(g) + xf(7, q)) loglog(g)) field operations. Note that we need 
the integer factorisation oracle since we need the precise order in this case. 

(2) Introduce indeterminates x, y and consider the equations Tr(T5'(0, x,y)) = 
1 and Tr([T, S{0, x, y)]) = Tr(sr), or similarly with v instead of T. We want 
to find solutions a,b for x,y as in the Lemma. By Proposition 12.251 the 
trace determines the order in these cases, which leads us to consider these 
equations. 

(3) Elements of order 6 have trace 1. Hence we obtain equations in x,y: 

Tr(T5(0,x,y)) = l 
(Tr(T5(0,a;,y))3* = l 

(5.4) 

Tr[T,5(0,a;,y)] = Trg 
(Tr[T,5(0,x,2;)])3* = (Tr#* 

By letting bi — x, b2 — x* , ci — y, C2 = y*, this is precisely one of the 
systems in Conjecture 15. 8[ and thus we can use Theorem 11.31 to find all 
solutions using 0(log(7) field operations. 

(4) By Lemma [5.71 there will be solutions a,b. By Lemma [5.51 the resulting 
5(0, a, b) generates N//(yli) together with T or v. 

Finally, we see that we have O(cro(log(g))) generators, which we map back 
to G using the effective isomorphism. Hence the expected time complexity is as 
stated. □ 



5.3. Big Ree groups 

We now consider the maximal subgroup problems for the Big Ree groups. We 
will use the notation from Section 12.31 s-nd we will make heavy use of the fact that 
we can use Theorem 13 . 791 to constructively recognise the Big Ree groups. However, 
we can only do this in the natural representation, and hence we will only consider 
the maximal subgroup problems in the natural representation. 

The maximal subgroups are listed in [MalQlj . but we will only generate some 
of them. 

Theorem 5.10. Assume Coniectures \'3A\ and 13.641 and an oracle for the dis- 
crete logarithm problem in ¥q. There exist Las Vegas algorithms that, given ^F4(g) = 
(X) < GL(26, q) finds (Yi) , {Y2) , {Y3) , (Y^) ^ {X) such that (Yi) and {Y2) are the 
two maximal parabolics, (Ys) ^ Sz(g);C2 and {Y4) = Sp(4, g):C2. Once constructive 
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recognition has been performed, the expected time complexity is 0(l) field opera- 
tions. 

Proof. Let H = ^F4{q), and let tp : {X) —> H he the effective isomorphism. 
Generators for the subgroups are given in Proposition 12.361 and Proposition 12.441 
Since they all have constant size, and pre-images of (p can be computed in 0(l) 
field operations, we obtain Yi, F2, 5^3, Y4 in 0(l) field operations. □ 



CHAPTER 6 



Implementation and performance 

All the algorithms that have been described have been implemented in the 
computer algebra system Magma. As we remarked in Section 11.2.111 the imple- 
mentation has been a major part of the work and has heavily influenced the nature 
of the theoretical results. The algorithms have been developed with the implemen- 
tation in mind from the start, and hence only algorithms that can be implemented 
and executed on current hardware have been developed. 

This chapter is concerned with the implementation, and we will provide ex- 
perimental evidence of the fact that the algorithms indeed are efficient in practice. 
The evidence will be in the form of benchmark results, tables and diagrams. This 
chapter is therefore not so much about mathematics, but rather about software 
engineering or computer science. 

The implementations were developed during a time span of 2-3 years, using 
Magma versions 2.11-5 and above. The benchmark results have all been produced 
using version 2.13-12, Intel64 flavour, statically linked. 

The hardware used during the benchmark was a PC, with an Intel Xeon CPU, 
clocked at 2.80 GHz, and with 1 GB of RAM. The operating system was Debian 
GNU/Linux Sarge, with kernel version 2.6.8-12-em64t-p4-smp. 

The implementations used the existing Magma implementations of the algo- 
rithms described in Chapter [TJ These include implementations of the following: 

• A discrete log algorithm, in particular Coppersmith's algorithm. The im- 
plementation is described in |Tho01| . 

• The product replacement algorithm. 

• The algorithm from Theorem ll.il 

• The Order algorithm, for calculating the order (or pseudo-order) of a 
matrix. 

• The black box naming algorithm from |BKPSC)2| . 

• The algorithms from Theorems 11.121 and 11.131 

• The three algorithms from Section fl. 2. 101 

We used MATLAB and |R D05j to produce the fi gures. In every case, the 
benchmark of an algorithm was performed by running the algorithm a number of 
times for each field with size q lying in some specified range. We then recorded 
the time t (in seconds) taken by the algorithm. However, to be able to compare 
the benchmark results with our stated time complexities, we want to display not 
the time in seconds, but the number of field operations. Moreover, the input size 

122 



6.1. SUZUKI GROUPS 



123 



is polynomial in log(g) and not q. Hence we first recorded the time tk for k mul- 
tiplications in ¥q and display t/tu against \og{q). Of course, fc = 1 is in principle 
enough, but we chose k = 10^ to achieve a scaling of the graph. 

In Magma, Zech logarithms are used for the finite field arithmetic in Fg if g ^ 
qz (for some qz, at present qz ~ S'^'^), and for larger fields Magma represents the 
field elements as polynomials over the largest subfield that is smaller than qz, rather 
than over the prime field. The reason is that the polynomials then have fewer terms, 
and hence the field arithmetic is faster, than if the polynomials have coefhcients in 
the prime field. Since the subfield is small enough to use Zech logarithms, arithmetic 
in the subfield is not much slower than in the prime field. 

Now consider a field of size p". If n is prime, there are no subfields except the 
prime field, and the field arithmetic will be slow, but if n has a divisor only slightly 
smaller than qz, then the field arithmetic will be fast. Since it might happen that 
n is prime but n + 1 is divisible by qz, we will get jumps in our benchmark figures, 
unless we turn off all these optimisations in Magma. Therefore, this is what we do, 
and hence any jumps are the result of group theoretical properties, the discrete log 
and factorisation oracles, and the probabilistic nature of the algorithms. 

All the non-constructive recognition algorithms that we have presented, in Sec- 
tions [XTTT| 13.2.1] and are extremely fast, and in practice constant time for the 
field sizes under consideration. Hence we do not display any benchmarks of them. 

6.1. Suzuki groups 

In the cases of the Suzuki groups, the field size is always q — 2^™+^ for some 
m > 0. Hence we display the time against m. 

In Figure 16.11 we show the benchmark of the first two steps of the algorithm 
in Theorem 13.121 where a stabiliser in Si{q) of a point of O is computed. For each 
field size, we made 100 runs of the algorithms, using random generating sets and 
random points. 

Notice that the time is very much dominated by the discrete logarithm compu- 
tations. The oscillations in the discrete log timings have number theoretic reasons. 
When m = 52, the factorisation of q — 1 contains no prime with more than 6 dec- 
imal digits, hence discrete log is very fast. On the other hand, when ni = 64, the 
factorisation of g — 1 contains a prime with 26 decimal digits. 

In Figure 16.21 we show the benchmark of the algorithm in Theorem 13.171 For 
each field size, we made 100 runs of the algorithms, using random generating sets 
of random conjugates of Sz(g). 

The time complexity stated in the theorem suggests that the graph should be 
slightly worse than linear. Figure 16.21 clearly supports this. The minor oscillations 
can have at least two reasons. The algorithm is randomised, and the core of the 
algorithm is to find an element of order g — 1 by random search. The proportion of 
such elements is (/)(g — l)/(2(g — 1)) which oscillates slightly when q increases. 
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Figure 6.1. Benchmark of Suzuki stabiliser computation 

We do not include graphs of the tensor decomposition algorithms for the Suzuki 
groups. The reason is that at the present time, they can only be executed on a small 
number of inputs (certainly not more than d E {16, 64, 256} and q £ {8, 32, 128}) 
before running out of memory. Hence there is not much of a graph to display. 

6.2. Small Ree groups 

In the cases of the small Ree groups, the field size is always q = 32™+! for some 
m > 0. Hence we display the time against m. 

In Figure 16.31 we show the benchmark of the algorithm in Theorem 13.471 For 
each field size, we made 100 runs of the algorithms, using random generating sets 
of random conjugates of Ree(g). As can be seen from the proof of the Theorem, the 
algorithm involves many ingredients: discrete logarithms, SLP evaluations, SL(2, q) 
recognition. To avoid making the graph unreadable, we avoid displaying the timings 
for these various steps, and only display the total time. The graph still has jumps, 
for reasons similar as with the Suzuki groups. 

We do not include graphs of the tensor decomposition algorithms for the small 
Ree groups. The reason is that at the present time, they can only be executed 
on a small number of inputs (certainly not more than d S {49, 189, 729} and q G 
{27, 243}) before running out of memory. Hence there is not much of a graph to 
display. 
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Figure 6.2. Benchmark of Suzuki conjugation 

6.3. Big Ree groups 

In the cases of the Big Ree groups, the field size is always q — 2^™+-'^ for some 
m > 0. Hence we display the time against m. 

In Figure 16.41 we show the benchmark of the algorithm in Theorem 13.791 This 
involves all the results presented for the Big Ree groups. 

For each field size, we made 100 runs of the algorithms, using random generating 
sets of random conjugates of '^¥i{q). As can be seen from the proof of the Theorem, 
the algorithm involves many ingredients: discrete logarithms, SLP evaluations, Sz(q) 
recognition, SL(2, q) recognition. To avoid making the graph unreadable, we avoid 
displaying the timings for these various steps, and only display the total time. 
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Figure 6.3. Benchmark of small Ree conjugation 
Benchmark of Large Ree recognition 
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Figure 6.4. Benchmark of Large Ree conjugation 
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